23542300x800000000000000086550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:53.436{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1CEBBA33B6D4EEE8D1AC3F269E9E78,SHA256=4329331C84A10C18D2C479C31CC75840DD50BD296995B567B3735F316CBA9F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:53.154{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85B67BD58298902D66F8F4E55382FF2,SHA256=E4263B9046828D4F86A407BF378D34C3C70B5DDE817ABCBE3ACC983CB9DB5DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:53.044{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D1512AA8C8550883AE756CE154A410C3,SHA256=39E627D077C3109932F1106A29AEA437986FA88DD510325A8158E673AACDCC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:54.521{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1ACC7C3C61F02AF05B896CE98AB54FA,SHA256=F60C95B1B128FBD25D00730C5F4243F417A26737DA7805328AC935D2D6158DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:54.764{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3B8511BB28C43A06B5EFF530CF7CAA1E,SHA256=D68C93DB577542A51F5567F937FD3C1CFC0935958284961AA271CAEBE95F4CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000116955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:52.380{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64550-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000116954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:54.252{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D94078E11607A985D08EF7191E8D75,SHA256=71B58983CA172A6E91AA62CDC60EED3D0BC9CF88FCCA0380B1809DBD11072DFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:51.133{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51536-false10.0.1.12-8000- 23542300x800000000000000086556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:55.610{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473771CA64FA068DE808100344148CC6,SHA256=6A1FB7B78FBE5F96C7BEAA76A43833F6BC445EEC35699B9B784724EE78AAE319,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:55.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:55.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:55.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000116957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:55.337{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264680EE519ABF1905E050CEF6988958,SHA256=F9B72FF30F88EB3745723F838142CD1744344A13D19525455D5550EBD18B6E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:56.690{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C9592ED61FC9E441CDA9C9A08E7507,SHA256=8FDA1D0EE2CA7A208C828FEF5D9823B12866A03D45BC2C9EA7839D146CD838EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:56.436{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4CDF3578917366773BD5E559380B5B,SHA256=24BECCDE9943489492BA03FEF1C85C8758A3D9F326263C147B301693B0761C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:57.775{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4432A311B74A2AAD52881154C88424C,SHA256=9D8408CB24A26CAE7034BD741F6CFCEC759F67F818B7A32C7589F6D934E18908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:57.513{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA994C41751C3A7346AD5AEE8AD42261,SHA256=D4C8572D4CAB79D1D9C03141E7ABA504D4FBC91464CB455DD900DB09FDFDC7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:58.872{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE43AE59E91306A7193F871213749BAD,SHA256=B088B949C608B1869D898739F2429EB9CD55505E896F836E7D7BDF920C24B39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:58.580{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFB52F737AAB79747FE405ACA144EE7,SHA256=D74E3A46C484EF68FDC4544030DC7C24AFAB61C6BEB92E31A3CDAA2311FE7171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:59.962{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A97ECD29467727A9142171DC8F5F8E,SHA256=060A968A0CEB38452E99E566BAD2A110AE0A684F4DB4C4FBBE2395DF02AF4C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:59.664{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFA0B73E176BF1E8455785E61C952E6,SHA256=A559445E3CCA95746E46522BD80E83833374AC57E2706884AC63D98D91A52F45,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:57.145{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51537-false10.0.1.12-8000- 354300x8000000000000000116961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:01:58.249{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64551-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000116963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:00.766{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3490A0642FF4B03E272D815CCABC9C5B,SHA256=B8AF98ED494192A2047B4AEE7B586641FA4337982318F23710610AE7C130C71E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.994{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.960{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.951{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.942{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.933{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.925{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.917{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.902{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.877{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.848{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.824{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.813{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000086562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:00.723{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:01.857{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972BA58C43D25811957C18BA88FC1A70,SHA256=34DA878A39BDE34633C8DFF1A40403FC40D806C48FF01E70F49455C16391C5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:01.439{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-152MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.080{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.077{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.075{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.071{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.070{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.067{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.066{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.065{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.063{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.060{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.059{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.054{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.045{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.043{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000086578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.033{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D0A72B2E921F600685D1B93B061F29,SHA256=329B6E8AA4CC4063787D0938B99E0AB5CD651C4F7ADB99317D42F62E54A6B03E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.028{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.024{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000086575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:01.007{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x8000000000000000116967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:02.937{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87355AF219D8D11D42A60ECF563250FE,SHA256=553F45ACA8753A328F74EB3B5A4DB945A1595F8BD5D6F19C94BE37026C09EB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:02.463{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-153MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:02.014{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A2DDCCF117B96DC81F626671319C63,SHA256=37C8618A304E13AC69EC523162CE8260B2EFC2F9322982EAA7DF52A472C5F399,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:01:59.811{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51538-false10.0.1.12-8089- 23542300x800000000000000086594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:03.091{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC8362C5021B0B6DE356175F02CA1B8,SHA256=DC3705305E2C1B4CD4486274AF04629B9D6426F6FE8F88AB32C84ECFFAA856A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:02.272{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51539-false10.0.1.12-8000- 23542300x800000000000000086596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:04.207{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB60E504B42026DFD876E11EDE605C1,SHA256=AB51362A5A49923897E481F6FA76902B2B5E507D154D0012622FC9AEB653EDBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:04.037{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846F4E175110531744668F88B6427B2A,SHA256=2D2E59FE33E37C5DE3A8614C3F447A2C536D6FA2642118B87F15820B66288891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:05.311{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D96521D8C1BB0D5F4F5F57AE2E21F8,SHA256=FDC4218D3DFC4B6B2C822DDF2D81C83C250DFD6D6D1060D547656DAF0A4E53CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000116970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:04.180{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64552-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000116969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:05.136{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E6FAE4A36D14B6C16806941AD947CA,SHA256=0CCE6E15FD613F125AFD2A6146B8A9C708284A064285949EE619B8E3A7659711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:06.420{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B991C73E95393AF85EDB84894273D5,SHA256=889D027389FAE0AE4111E008FE0B9EE2508E455D5E0EB4AF3CEBCAA5FF208E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:06.227{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A498A649BCE75AC6E653D460F891A18,SHA256=D09EBBD6109CF5A230668F90A86DCE64F6D46E00ACE55B98CA6A5429037A7190,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:07.696{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:07.534{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844CC9998CD5759AA430CA748CBAA1FA,SHA256=538FC67A482D5E983BC8E1BCD335E01C14AFC9AA32702697CBC889E414AA38E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:07.300{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6CF78DC5300E80886EC9BB21F5A8E7,SHA256=9E53DB38CAA65E8E0EFF51246FC43A818F5E36E5F73A84DBAE2A9E77CF123571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:08.641{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D405E6A648AF2F2D6DAD1C3FF46E492,SHA256=90D925153A17D61D202585E8205D73C3BC9E959796753CBBEDE5B4E74E53E046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000116973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:08.389{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5E1DEB6B966C93B612C6CCEF86148B,SHA256=51AC291C2978C9B973C7B703810B6E01ABF94DEB17EEA1D96662EA1F76B054C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:09.755{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A361474E293F717C0E82D674752237B2,SHA256=9635ECCD91BB3223940F45439FAB54ACB7862760503F4DE70BDC2D12E8CE9995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.951{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000116999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.479{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF7478C065ECC7312BD4AA71B7A8FF9,SHA256=DF7A62C789B4D41843ABFB4F86753DD5CAC05366A02B4B1666235BFF3EE54A21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000116998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.425{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.418{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.410{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.403{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.395{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.392{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.377{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.367{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.363{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.361{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.359{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.352{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.332{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.323{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.314{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.300{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.279{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.261{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.211{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.202{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.190{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.179{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.125{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000116974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.121{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000086618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.855{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3468198C35EA514348CDC4D101C7739,SHA256=F851F2ACBAF5CED7E81E538140243C5A95BEBAE3EEAE2EEA30DBCC9F9CBAE147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:10.650{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:09.379{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64553-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:10.430{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18A8F472A573D8B557D6F2F4D17F74D,SHA256=E18DA2A777313A87FE9D33B726FC91364BBCC4744A97772C871CD83A1DE5D515,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3762-63EE-DA04-00000000BB02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3762-63EE-DA04-00000000BB02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.683{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3762-63EE-DA04-00000000BB02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:10.684{A847701F-3762-63EE-DA04-00000000BB02}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:07.351{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51540-false10.0.1.12-8000- 23542300x800000000000000086635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.982{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E743668930FC58CA744E7F9F8B0EF7ED,SHA256=C375208496673D55A8C626FD162D954634826E68695EB65229F00F47F8D23AC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:11.975{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:11.974{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:11.972{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000117004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:11.514{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC960224CF81DAC5FC086A804C6D93D7,SHA256=303A0859C5CE0B610ABB8B13DD080098B9E5F4E44B57C276D9C0FD12762E59E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.714{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F96E80C088D8E4AE5337B4013F850C19,SHA256=58273764D82B06F467C9DC9EC8C06BD7FF3A867C569F78457CDAE1AAEDD0DF85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.713{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=03C376592883404086573039CFC9BAFA,SHA256=9AFED6B2376E224E62A9C34F3B0CC9BC8F892EC02CFF7F321F30C638B201A5C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.661{A847701F-3763-63EE-DB04-00000000BB02}1956376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3763-63EE-DB04-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3763-63EE-DB04-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.355{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3763-63EE-DB04-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:11.356{A847701F-3763-63EE-DB04-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.674{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.667{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.655{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.632{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 354300x8000000000000000117019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:10.792{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64554-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000117018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.563{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.546{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000117016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.521{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DD6B5F64D5C47A0E86FA52B3D8F79A,SHA256=59773F4BFBB7778DACA5DB2112859FBC5C8E4C7A870897D69468D40374A3EA15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.515{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.501{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.495{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.492{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.487{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.483{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.482{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x8000000000000000117008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:12.479{3F28B219-14C1-63EE-EE00-00000000BA02}54885636C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x8000000000000000117024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:13.601{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F62D031E7E03E322631AB59368E607,SHA256=0BE1E781A9D0A1E0F1887E41EBBE18332BFF425B24016F2E4595663E1722E2D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.667{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.667{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.667{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.666{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.666{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.666{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.529{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.530{A847701F-3765-63EE-DC04-00000000BB02}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.247{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=11C049E2260F0332DEB3FE282BC858F0,SHA256=0AF4FDEA6FFFB315F10CA06F2B12B389A6E0442A015EF83FF28CE5E8CF0FEACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.076{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED247FAE54493026A8F25471257D28E2,SHA256=FF6F089994583B461B9360FA0CA099AB35C5C00C3EC8704BB0C5C55D7F8AEB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:14.699{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0456A21576D923244B6ACF5B8A8EFF9B,SHA256=84191C9CA476A3323B4235BAF72BD899D46AA67EF90158FF3F8CEAF5688BDD1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.862{A847701F-3766-63EE-DD04-00000000BB02}17161656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.754{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.754{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.753{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.753{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.752{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.752{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.675{A847701F-3766-63EE-DD04-00000000BB02}1716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:14.175{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF9DC22E83106D7AA40C638FB40319A,SHA256=FFBE7009B53AAB3574B4BFF41055277BAE80332E06982EB73DAF1CFDA7E0BD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:15.790{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4482D5D3528B6C3FF8F550C713A636,SHA256=7D5EC2F3D76C2AC7C62E33B3BAC679F08935AF8CECF517E26241FD3F02791034,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.939{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3767-63EE-DF04-00000000BB02}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.936{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.936{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.936{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.935{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.935{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.935{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.935{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.935{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.934{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.934{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3767-63EE-DF04-00000000BB02}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.934{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3767-63EE-DF04-00000000BB02}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.934{A847701F-3767-63EE-DF04-00000000BB02}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:13.294{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51541-false10.0.1.12-8000- 10341000x800000000000000086692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.533{A847701F-3767-63EE-DE04-00000000BB02}26403648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3767-63EE-DE04-00000000BB02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3767-63EE-DE04-00000000BB02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.314{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3767-63EE-DE04-00000000BB02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.316{A847701F-3767-63EE-DE04-00000000BB02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:15.283{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8059C98973BF02AAF546C7F27E3985D,SHA256=D6A3D7C58B893B19AD4E504B980594624ADA0DB705F60237BE1595D26393C9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:16.871{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE09F7B4A914565BA679982ED8CB800A,SHA256=2646BA99D466B1AE601FFB380378C6A171B21CB54CB19C9793EAF0F0FF1DC88E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:16.491{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA5409E232B7694356A9082F09D53A6,SHA256=8A6329D6E5E35801CC22A913911CFE4BF698A9578AB30E453276CDEB0C15CF89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:15.294{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64555-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000086707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:16.163{A847701F-3767-63EE-DF04-00000000BB02}22483608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:17.953{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45970255EE36AC500EF9B8466088D222,SHA256=38EE80A8820FA50F9499606A0C0FEDDF3610B6FA442F91F3503AB272E7CAD1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:17.589{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E98C046318A32BF6B1A3A30CDE7638,SHA256=3A2B2340FDEF83A4539C842609CF2698F31DEAE4F49AE7A3EF7236AF5DAA73EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:17.024{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D474689AFA9DF2043DCBF98ACF521CBF,SHA256=A4324D3CFBCD57A0111785273AF1A0F35A0C9A1A1B2BE5A9DAEAE813845D6AD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.829{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.829{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.829{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.827{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.826{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.826{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.771{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.772{A847701F-376A-63EE-E004-00000000BB02}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:18.677{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0DE930631F39652276AE24B3B81250,SHA256=730B9E9E03C4C54E72DD10D17904ED5DAF7648EFBC5295DD80A84BE064ECEDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:19.771{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D7FCB30BE137830A2155A5E85591A2,SHA256=7894B8E37028BC88380F28F3159C9746FFB9CAFE2BD588EF8C18068A712342C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:19.051{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93591F7D1E9C94F682772E7BF3B41C1,SHA256=C099CD38D4F8F3F3AF2DA68ABCCD3CE6E1C68396189231D2B3DA400B9FA09F0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.971{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.949{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.893{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.875{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.855{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000086740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.846{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01097500397228BA69FEAD62F88BE5A,SHA256=B67279F7B7C71B3415CD262E098410CF19C4394561B336A606076C19CD2EF60B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.835{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.816{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.808{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.795{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.784{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x8000000000000000117039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.688{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-376C-63EE-4E05-00000000BA02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.685{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.685{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.685{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.685{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.685{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-376C-63EE-4E05-00000000BA02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.684{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-376C-63EE-4E05-00000000BA02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.684{3F28B219-376C-63EE-4E05-00000000BA02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:20.136{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804F5AE889F47E83A89FF324549B6C3A,SHA256=0B9E67FC9163BE4FB4FAC781D74364493F347CA17F4BD93AAD2F742CFD15A04F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.771{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.758{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:20.752{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 354300x800000000000000086763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:19.168{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51542-false10.0.1.12-8000- 23542300x800000000000000086762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.822{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC434E00A24D4EAA19F76BF64D8D6A3,SHA256=142BD9864FCADBC9FEEB27D755E6722B50DB0EB8E53FE1ECE5398F10CACCE6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.773{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C5018378D795CFE2C380131A1CD64604,SHA256=D6F085FA3ED48A7C6BFF1BC0359CF2ED99352B27940A6C30121DC35EE105D0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.772{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49352475A81E478117F75F98B359E553,SHA256=C7C32DCB4C6A05ADD75CE1D5986B641D32C9D04D70E1C9119D0AA1F3A5B55CC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.353{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-376D-63EE-4F05-00000000BA02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.353{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.353{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.353{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.353{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.353{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-376D-63EE-4F05-00000000BA02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.353{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-376D-63EE-4F05-00000000BA02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.354{3F28B219-376D-63EE-4F05-00000000BA02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.338{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825E1513B588D55F4F41112DA13F627E,SHA256=8CEB6E8F17BC19F4053BAB81A6FA7A85D027FF0C3F8CD54216361A63F1BBC236,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.111{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.105{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.095{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.091{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.090{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.086{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.085{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.082{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.075{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.065{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.062{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.054{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.034{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.030{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.012{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:21.003{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000086764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:22.900{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5803856DDBF0B75D46C1AF7ECA2856C7,SHA256=B1FE0AB6813A9549F8FC8333C59C62A576368E21ADFD33603467752A4093D4FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.922{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-376E-63EE-5105-00000000BA02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.922{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.922{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.922{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.922{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.922{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-376E-63EE-5105-00000000BA02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.922{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-376E-63EE-5105-00000000BA02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.923{3F28B219-376E-63EE-5105-00000000BA02}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:21.246{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64556-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.427{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351CC7211BB25CA987E4C288DA5D595F,SHA256=CCC861228D12678D4A2D1B917A00A086B5E1729FB44B3CC1EFEC67AA086D2ECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.224{3F28B219-376E-63EE-5005-00000000BA02}57245484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.020{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-376E-63EE-5005-00000000BA02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.020{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.020{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.020{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.020{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.020{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-376E-63EE-5005-00000000BA02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.020{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-376E-63EE-5005-00000000BA02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:22.021{3F28B219-376E-63EE-5005-00000000BA02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:23.996{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD09DA5711E767ABC69290742A9198D,SHA256=C0C934580CFE93E103C486B52DC13B362FE6D3049C7EC45A7A3FC6BEDEC42BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:23.531{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AC7C8E465330ABA4F1E07FA76F1C4B,SHA256=151FB209E8DF00C63001EF0516EA80AF7647C56FF9A86CB42A60F186CE10FEFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:23.188{3F28B219-376E-63EE-5105-00000000BA02}38444660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:23.156{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CFB0EECE6B63712A4EA5A7A87DB7B7AD,SHA256=DE087156A85DEADABFA0AEC498040C9FE6609091930C4241F0108461B04CBB6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:23.471{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64557-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000117098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:23.471{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64557-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000117097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.938{3F28B219-3770-63EE-5305-00000000BA02}65045176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.835{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.834{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.834{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.834{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.834{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.833{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.729{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.729{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.729{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.729{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.729{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.729{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.729{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.731{3F28B219-3770-63EE-5305-00000000BA02}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.620{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8DA1A90872A7CC74D9A62647AAB142,SHA256=E7200B298E3B787D18B1267FA424D1810F755B05DCF21F88C352F26724BC1C4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.245{3F28B219-3770-63EE-5205-00000000BA02}67564924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.073{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3770-63EE-5205-00000000BA02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.073{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.073{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.073{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.073{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.073{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3770-63EE-5205-00000000BA02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.073{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3770-63EE-5205-00000000BA02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:24.074{3F28B219-3770-63EE-5205-00000000BA02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:25.703{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE7FF0C1972FD1C9695F17BCACABFAC,SHA256=29C1CDF5186A136AD4492FF76E283B88FBD752282A8BB07E670A81A1C166CBF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:25.081{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC2EC9E613BC2D7151019316595EFFAA,SHA256=2305EFB5D3D2202F1E7148EE2E7F29F2D7B58ADA9295D8CAFE8B769D51C19437,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.957{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3772-63EE-5405-00000000BA02}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.957{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.957{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.957{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.957{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.957{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3772-63EE-5405-00000000BA02}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.957{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3772-63EE-5405-00000000BA02}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.958{3F28B219-3772-63EE-5405-00000000BA02}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:26.798{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F06B21D84119A9719CE2AD3256EB3F,SHA256=7C4E437F1365670451406802AAE1305AC6EA66B0E91A1690849F2C49A7B13CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:26.175{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FBEC5F25D50A2B80A261BD25A35E83,SHA256=B4E23DF39AAF639BE8753F76ADF4756002BEFBD89A3780A7AC93BC1388E28AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:27.891{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA85D4C82F937C638CD2F3A8485DA8D,SHA256=B3726EB8F2C95F4BA3FD1DB8A8CD379D210E41A468B161C70386844C81699084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:27.266{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E986B40C67F30568AEE9B32D0F6DF6,SHA256=D3DADA2FF59C61D94606858863ABAFCA7C56B8BCCA560DD24BD989E0E98F0743,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:24.278{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51543-false10.0.1.12-8000- 23542300x800000000000000086770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:28.367{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F25E17291524DDC1077772BBEA288E,SHA256=5F37C03EE7725A94D0E1653E2BAB84B8C9B65DCBD9E7FEC6FCD18445D893F55E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:27.240{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64558-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:28.063{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=155FFA4FCB3AB81597189401BC350129,SHA256=558EBECAB7130F29E4697C86FEEF70341E80A8762A3D274D79D2DF51C074B8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:29.464{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9674612A655E831D2EF98699F3AF9453,SHA256=71627EC20FF85499300F093D7696BCBF50B275D7C8E9C80CFBB080BB22624232,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.614{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.599{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.594{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.578{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.560{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.550{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.545{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.515{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.493{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.484{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.476{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.471{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.458{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.435{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.429{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.423{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.409{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.388{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.364{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.323{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.308{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.294{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.277{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.144{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.134{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000117113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:29.007{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B13E3748956CD34C5467FF6BE6F6139,SHA256=0BFC3C536939FCB084DFFFB4F1B1ECB6AA58BE820C47B8C6B13481F0C930C1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:30.550{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9022CBFCD73DB4CD05862480E18378F7,SHA256=98A824B183375CEBE88A055C5807985DDFF6300FB25BA18C82D4A14E5A4344EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:30.059{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000117139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:30.045{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FB5313C1B44DEA69CC368EC0611066,SHA256=940B99AE08EA02994119519C79EC588AA5B0A374A115AEA143FC5758BA320C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:31.654{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F65BD9E675956DB37B95CE8AFD2F774,SHA256=5325E212569FA1FB08388C7413A5234BBDBD8AF26B92B56D9358E9C8CC6DA49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:31.141{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632702E194BAB0D5DFA49ECE9EE4CFCA,SHA256=68DE92B33D73AF6DD0A2F847FECF7E342DA260FF0A8A22C97C40FDDC81E9677E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:32.735{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAE36CAC55C25C1516D3B7B002B36A4,SHA256=3D4D341CB97E9BC27828A5687171AAC055CADE5B9B21D54A807891F206B62364,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.730{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.726{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.712{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.697{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.659{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.649{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.634{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.626{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.623{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.620{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.617{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.611{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.611{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.608{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.553{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.239{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A84CFAE18DC734C34837B9827C91738,SHA256=626370F8AD79AA610513914831FFD65F73E817F2648329F446994025B31A8454,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.100{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.099{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.097{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x800000000000000086775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:33.817{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6348B0252B2431172411B39A7AA5A95,SHA256=08A83EBFEF9DE28E21476A80070FE56B53B8025F09F5F66F16E5217DBD4C802A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:32.350{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64559-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:33.313{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6295D546DA0EBFF63E08CB5591653EF,SHA256=CEDBD23426B34E6E535EA5EF69F6B460235599DAAF315E928D8FBBAB4760C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:34.914{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFE6A09EA668EF1E73A4593118837F7,SHA256=734CF0078D69AFE394111B7B05823B95224F8ECD86F35CC08D3FFC1F855C6425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:34.409{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678C994323C62253A098A3EEC71F2ED1,SHA256=D7F70B4648AC85F51DA3F99C700DA2A14E62C4642A7F99454466A7A711B619A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:30.254{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51544-false10.0.1.12-8000- 23542300x800000000000000086778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:35.994{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BDEDB5EF05049CCCE2008D853C3152,SHA256=3881D15A2EE982B61C378B7167A50E977FF00C14993FB1CE9459F8BA4B3AC9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:35.491{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EFB7B33973E0EBE242E2733E5F8B3F,SHA256=D61022569DE7CFCD1D070CCC6848FEFC2F234899FDDB750208B604B4B709A30C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:36.586{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70256B5C360CDC2194A0AB38AE203C99,SHA256=044E6BB4B12B196EFA4BC3A42389EA8C52B81325BE93E4230A200261692B64A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:37.677{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28921E4348C274B973DB44AF4ACE769B,SHA256=3A9F6A45FC841074EED27F072489B716E625F021CDF9EE075B099951C6F5C4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:37.088{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83CBE5D4EF30F6502C0A1397E0DDDC3,SHA256=5D3050998A53F998CBF815F74DA547EA29653ACD67D5240EB470E2792FC3E942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:38.789{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F339D5CB4FC7F5B6D048BD802BA4CA48,SHA256=4A004215B3152FCAAF6E3C9C77BD1913000D07095A0707D48A0C9BAFE6694478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:38.181{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6ED77905FE4A10F1FA1A6D865158E22,SHA256=B46D3EB1B1048D4A27E7EB7639F8E3224D417873EF4E0F9637B0BEE9A10C3026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:39.885{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214047C73DD9BCF0A31E8960DDB7D5EF,SHA256=B94373FA2F389DA6C61D820063E4875A3D48AD0CE848633CFFFD989893B1EA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:39.269{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4A4B537F9760978127ED0B46713298,SHA256=F7120689FE7801C9D4CF719AFFE55298678A56C2D2771FD9D510100FF22607C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:36.192{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51545-false10.0.1.12-8000- 23542300x8000000000000000117170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:40.977{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1689DAFD488C41FD1EA1F184329F12,SHA256=9BEF6F493C1585CE200B3A62309A41A2E1F9D681EAFF6A9FA1C12469BA2DC51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.987{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.983{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.981{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.978{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.977{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.975{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.974{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.973{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.971{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.968{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.966{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.963{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.952{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.950{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.940{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.938{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.926{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.911{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.869{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.855{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.845{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.829{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.814{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.803{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.793{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.784{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.777{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.766{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000086784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.759{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000086783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:40.352{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA6D9555459377D883F9D71817ED0F5,SHA256=9CFEEC5CAAF516083A595C8A38E974CDE2BD6102A590D88D082D2AC0316945DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:38.338{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64560-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000086813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:41.736{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB3E6C2FCA030AD1397A2B3BA31961C,SHA256=81A46FA7A2474B06CD6A3ECDB42F35B855585F9FCEEF47A7B5E1B3830F154B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:42.845{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0F2E3E0D56C16984CD8564DD253247,SHA256=727347D64F3AD6F80CE8EB1DBD5CA2F77F5CF9D69292C5CCA6CEA47C7B800FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:42.071{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35597E514F91C7422B5A3DC266261D87,SHA256=7192F25BB86967C10C34BCB37AE6378E84A9AF24813B46209778BB2098F8B2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:43.947{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4494D07B14A8BCAD762B9C477A5A2073,SHA256=2EF1EA5DFDF8A6866E375B7C98F20398BFCCBB8DBAFEDDD3DA5B2C2691590773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:43.160{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E39D969A34C8532DF598BBE2D17317,SHA256=4332621E2B4F329315F561F95EB05AE3E2C9E8DC034821EA41CFE7EEFB98112D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:43.445{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7AD82F33F66ADDCF9DB513C14A594C3C,SHA256=653446BD462A7AAF0E7F06ED45304942A4E621E2CAFB53609D0B6379B314990D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:44.250{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B90357F8292D4CAAF315A05A7BD212,SHA256=527EFF0EC4B314BCC260626E718E5CE8AED0A7A1DB16055F9620A98761E17B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:45.345{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA66CE7F92371B4D5BA4103E30D9CF4,SHA256=CEEDF70B57EAADB15DF70D5C96278DA841B7BC9054357B55F340679F54A29551,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:42.136{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51546-false10.0.1.12-8000- 23542300x800000000000000086817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:45.045{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6049DCF8FC455B13A6D0F385F4D65255,SHA256=F0D467F94AC4EE61D8D684C3B311A726C0276EE9C7013597CCAB03CABBDE000C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:46.430{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0772BFE1D9EA30808C294F7A64856AFC,SHA256=1DE6615ED282D8649C64ED27691CA33EF8051EBF3841B48BFD4C2A1ED7602887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:46.135{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB54C4C03768A1A53276FEED9D516002,SHA256=14E6552961A025C01252A83CFBD88404F8FEF3937EDCCB32E5DB470105416C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:44.330{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64561-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:47.512{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368BC15431B6684359B8BA4F70737CA6,SHA256=4B99D45F318EC88E05E7311F8A256767CA9907A185ED509CB1F012092D88EDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:47.528{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-153MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:47.228{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88E58C65B0D9033E9EC6540700922F5,SHA256=03EEC096FFCD42E331259E9970A65DA8DD1ECC18CB8D056C02F5A28927E477EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:48.599{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B3B9666EF93117E43469818D2E6A86,SHA256=64619D4AF5C0B401BEDC34AF8A02F4CD1C6B324DEE3CFBDC334789B0886EE559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:48.528{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-154MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:48.308{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06912995FD153BEA1CB81C64E47AB48E,SHA256=876E680EF5A332E048F404402DB02B688CDAFD2E18F8391E43D471FD03E84B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.651{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A947264DBAF278145139C45BC3E2EB,SHA256=9E1B9EB5761CD6D2AF8C905D3315570B3071F297534BB3AD4A2B4460C5E3E128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:49.420{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1ECFF733141B4613E921A6B83E7F63,SHA256=6E01D4478EB92D0D2AB1F4EA2A8417F0B9F8B3EAD750AD56BB36C9D80EEC6034,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.424{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.419{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.417{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.410{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.402{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.390{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.387{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.376{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.363{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.355{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.351{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.348{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.337{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.314{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.306{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.297{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.290{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.279{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.260{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.222{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.210{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.195{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.181{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.119{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.114{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000117206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:50.720{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9005ACFEDFACE364B62628DDF249E55C,SHA256=24FFB1E0A703F369EB7E9E3959395C04D1DBD9701F6CFBA6A7F95606D4FF083E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:50.934{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=25228251CE4D7316740E01FA57C61F0B,SHA256=F5BF6224B614A7B4E6D5D7E447571095CFD0BF9F6E62D31E47253DDF977377B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:50.531{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721FF3E9274D28A862E18A0CB2C8F415,SHA256=DA76BD2D2B7CE285993728BB5A23C040E8E3FCAF20F18B0DC2EB74E2B3BDF661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:50.005{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 354300x800000000000000086825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:47.365{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51547-false10.0.1.12-8000- 23542300x8000000000000000117208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:51.804{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48CAD76F24B11C4EF1746072FF14253,SHA256=53F48AD90BB70C27FA8E2924481771EAE3F30794CA93D1C1A8514720A9FE4681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:51.620{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F1D07563BF092D065CF74CCE8C31C5,SHA256=943BF9D6DBD46F0AAC2A97CD03D139B80072ACDB7AD9D04994CFA8DD4613A59C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:49.336{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64562-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.908{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDB2A77B94FAE6AA8AE22C5155D7965,SHA256=D2695805F0E892EB72E597814CB5B453131175AD1C8ECE4F79C4606D92C3AD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:52.705{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CF18B93F54033BD0161BB3CFFFBC70,SHA256=E8A42C95859FB0D0CFE17C2BBA7A66A4F9FF99778BE8CDF97C1E96E1769E25FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.656{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.648{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.639{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.600{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.592{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.581{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.576{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.574{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.571{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.568{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.564{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.562{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.039{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.038{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:52.037{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x800000000000000086830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:53.796{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3025BAFC72636392973EDA6F0342F07C,SHA256=9BE1C00546BA407671247E5C5BBF2BEEC89789DE50919CFE0396189910FA0605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:53.342{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D5CF24B0F7F38AB258B27A0189E1C5E8,SHA256=4DBB754CF0A23BA10C61B7097E957679C7651DF91C837D8A90685DA7D15E3B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:54.884{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAE751D9C0D8677D241FC1DC823DA5D,SHA256=CE467176D5717FCC5B34BD40A6F121ACAE0617B25C0C0ABD335959445AD64574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:54.776{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5076E13ED0927A6B8648DAD4B21B6E1E,SHA256=33E1F51E0C87E152655A9313266C3320E55777B69B5F4256ED641E16F76493FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:53.998{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604FDEA03E4DF1B579623B76E27834D7,SHA256=135A8E1359EF43D46B5C506557D3FE93949263689EF6D38D2A0E5775F0E8AB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:55.963{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C405826DB7E54FE92BD37582EAE0D4,SHA256=CE2F355C6E18C791455FBADCE3CF21CF6FD6FE1E7B3F49CF24A9DCF398411641,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:54.403{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64563-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:55.088{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC4053E0B8AB2C4474A4E94030826E4,SHA256=F56D22D67D0FDCE9D47F228B8C7976F0E98010A58786500F759AD10D88370F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:56.187{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFA46E8E9941C9F64239CBB7CEAC475,SHA256=312C6F7DB1B9C7C8782095B0D8C1803F9ECFDB29618BB0AFEA4A5EBC267830BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:53.348{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51548-false10.0.1.12-8000- 23542300x8000000000000000117233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:57.280{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9CAE738CB7C77425011554C7DF6682,SHA256=1E3FDF05285BFE8A8792041000DCAC22371CB277544358B001F6742817757C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:57.058{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA4060A149F714820BEF4D2488C6967,SHA256=57CF0A66A1D4DF33D320CD8C7B5184598AAA3C54154CBD7F5FA482A5EE7F6AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:58.361{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03466FEC15174117987363A7C2E0E302,SHA256=000E77A1EC2A7F6FD83022B0E17AB5A5239040C52E72D6E78813EA25F0895869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:58.147{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A559FC0F329387D18F18D46AFECC960F,SHA256=764B4F8ECFE34787A616850173CC5815F6B76017C00E855A8A0C4B56FCE96B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:02:59.663{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B8B0000962CAC95B06578957A2C895,SHA256=F79445360B262A6819081CC753F8AF23A4320CB1CC26177B619C58FA1B658BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:59.236{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE4740D00CA5B73DDBFEE592BCA605F,SHA256=15DE744E58000F7C7D7CD9CC2FADE7BB02017FA951CCD36429ACB7299990EBCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:00.741{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B54EDB2562CA60107C61C73A39581DD,SHA256=D4B176B295C940054EAF390095C7F7D437E9E33447F60DDFCA91459F4AD45647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.999{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.996{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.995{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.994{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.991{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.986{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.984{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.981{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.972{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.969{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.960{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.956{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.934{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.923{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.890{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.876{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.863{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.854{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.845{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.835{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.803{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.772{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.760{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.756{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.747{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000086838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.752{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:00.322{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB4F4257D640F5940EC27B006AF25D3,SHA256=B7F4AC29874EE716352DCC0777A2F33C1EC94B58551BAA37DE42659A86008016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:01.829{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5368800ECD11E948DCCCA570F5F4C98,SHA256=A5E726905B0B005C8AB64804C33CC13425B7E67F290195E77FCFB417D2E4BB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:01.821{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4871024BD887BDC2A9AE0B5D8B06B74A,SHA256=ACF58EC6AC4F864E5358F1B3891F71062F4A99A78F485B9E9F618DC2F938E817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:00.279{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64564-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000086867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:01.009{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:01.006{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:01.003{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000086864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:01.000{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x8000000000000000117240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:02.975{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-153MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:02.909{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606251F0EF052318B0D81F546D8FCFAF,SHA256=3D8D4C074E88C0D1577ED8E926BFAB8EA7E06A9032FF960F7D3A63039869FE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:02.941{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E19A5CFB81775772458712E708A9FC,SHA256=19CB9B4AE74D3E222B199304C815B18F94FA9AF1FD9EB149F896D5A05197A86C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:59.836{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51550-false10.0.1.12-8089- 354300x800000000000000086869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:02:59.113{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51549-false10.0.1.12-8000- 23542300x8000000000000000117241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:03.981{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-154MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:04.012{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C01CB497BA05809C33F538658D7C63,SHA256=A014A72786C490B223FE3E7576702AE7C10994B1E7B14D6B88F664095E3F6E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:04.024{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6843FF17A637996CF092FEEB77B2DE4A,SHA256=2651659965FB3D21744B455005B71E62ADEE35B44F8516214891564F8C9551FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:05.118{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1615330FEE24EFF72051F0E038CBD272,SHA256=1EAD329E0ACD9F385F6AF6ED81A198AED07D09AFE5F6F08EB9B64CAA7AAD5234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:05.122{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693887E2A3F063F1E826589150737B4F,SHA256=7B502767B346994EDD0F59C2ACDB5C80A2CDE0EA9CE47DCD06B6C2508B19E1B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:04.164{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51551-false10.0.1.12-8000- 23542300x800000000000000086874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:06.214{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80787E1D9A94997A6A69A0B3401B299B,SHA256=726EDECE8A79F9878290CE35A2DF7B8F5504C1B6F9196F47C756D72956CFC5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:06.201{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E887A242761304B4FFFEAD7BDC14C28C,SHA256=3EC88813E4C07183F0704A446FFE120B922E94C4B24AF0E265FB17E6E81E4D7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:07.705{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:07.705{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:07.705{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:07.689{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000086876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:07.329{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD373F6D66D44F8BF1032D0689865DC,SHA256=E1AB604303AFC4AB67805024CF7DDFEB49E4CC66D4A1DFDAB6B38A99D1E771B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:06.267{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64565-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:07.297{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDE3359FDAAC2C024005F725C72A81A,SHA256=97A9F65D1668B1901D001AAC48AE684F4ED7299B0938241C95A6547F6FC6702F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:08.402{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A6D398210FC79DD2B2041560C82063,SHA256=DA4580AAA33AB4E589206A349CA2129B3567234AD1C8BDA557ED9D9026D46F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:08.379{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B171241D2B4CD4C1BD2774B5EABCBE7,SHA256=DF30646AC230B835F10CD59D343C14D959F6C25EA5ADE6A602D5139BC03BC797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:09.496{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DB541148C3E5799026582C2C0DDDF4,SHA256=BF3FCD815286DA6AAB7FBD9799817C544DFCA168E3F4F25FA54EB17AF1A9C84D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.970{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.447{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000117272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.442{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48135B6D715534C9EF4C7AEE019358A,SHA256=CFC1EE59F221AF9287C91BF0532E5D815E77CC16AB63BCD6522B63D72AFDE740,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.441{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.439{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.432{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.422{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.413{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.395{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.376{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.373{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.371{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.361{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.345{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.323{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.304{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.292{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.280{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.264{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.247{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.210{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.199{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.185{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.174{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.124{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:09.121{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x800000000000000086899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.962{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-379E-63EE-E104-00000000BB02}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.962{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-379E-63EE-E104-00000000BB02}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.962{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-379E-63EE-E104-00000000BB02}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-379E-63EE-E104-00000000BB02}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-379E-63EE-E104-00000000BB02}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.699{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-379E-63EE-E104-00000000BB02}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.700{A847701F-379E-63EE-E104-00000000BB02}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:10.574{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C78FB94BDC6987ECB95AC13D654D7F,SHA256=B71923CB8D09AAAB403A78D14F1D55231A318ADA6CA171BCF791ECCAC61D4EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:10.673{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:10.496{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9393D6F57D23B5E66AAA1FE9C08A9E39,SHA256=35AB255461AC73879879C1F97D56C23B00C360307E64AF4B47780F8245C3C505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.961{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14EB58E2B19660A4C6ED5714596E440,SHA256=D3ACED7230A4BEA090E0F34073EF06F277B25596B4380512D590DBB2FF2AF8D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.959{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF0FD1262E46E67FC2F022CB32CD19B7,SHA256=055986758D99B3A09DFB8614F9C60EC8309C2D209BDC43073608132EBC33C519,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:11.996{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:11.995{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:11.991{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000117277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:11.599{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5718C89764685BEB38C63774546204,SHA256=9DE6C144EBDD8EF787EBCB9D770D1E1BC886E473EDBE4F0F99DCF1FCCA8979B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.427{A847701F-379F-63EE-E204-00000000BB02}1508932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-379F-63EE-E204-00000000BB02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-379F-63EE-E204-00000000BB02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.207{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-379F-63EE-E204-00000000BB02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:11.208{A847701F-379F-63EE-E204-00000000BB02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:12.985{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCDAB7492F794D62C3F8EAE7D4C4CC0,SHA256=FB900EFE8A86DFBE286F3E39C20FD3469BEC63C2C74BE0AD7475011038053885,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:11.410{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64567-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000117296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:10.816{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64566-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000117295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.682{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212A1371F5681F86EC9A98BC39245A37,SHA256=8CA89A737EFC90F2055FB0BAF1C9034466BC6EA5EF748B687696CA8468771B1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.657{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.651{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.640{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.625{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000086917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:12.601{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E15D7DC3A016BA08579A7FA21FF7CBA4,SHA256=0DFDCFB0A9DBCB89F58AE3D823AF583C530F6652363ABC21A48AD177D832978E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:12.070{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2D86CCFF1EED3BF8A55E369DE08D9073,SHA256=ED64759A9BEB989404AD64F200413B6883CE3C9DCBE3F5D2B0D2EC9C0BC18AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.549{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.535{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.525{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.523{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.520{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.517{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.514{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.512{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:12.509{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000117298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:13.669{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1147377BEC0D36BA2E70FF2BFDFA646,SHA256=51C09F0D83A6AEFEB514CA1234BD305FA1CF58FB2F0178544B562EBA750124C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37A1-63EE-E304-00000000BB02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-37A1-63EE-E304-00000000BB02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.525{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37A1-63EE-E304-00000000BB02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:13.526{A847701F-37A1-63EE-E304-00000000BB02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000086919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:09.349{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51552-false10.0.1.12-8000- 23542300x8000000000000000117299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:14.759{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9253CBCEFF4B12375E72AB183B0861D0,SHA256=175C1721EA0624644FA2B7BDFC3856AF1EAC2E91ED427F00C395C9B3F841C487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.811{A847701F-37A2-63EE-E404-00000000BB02}29082896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37A2-63EE-E404-00000000BB02}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-37A2-63EE-E404-00000000BB02}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.608{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37A2-63EE-E404-00000000BB02}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.609{A847701F-37A2-63EE-E404-00000000BB02}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.087{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCEA38DE69EB58695980831DA4067D8,SHA256=2CC3DF6ACB94F5CC4C28DE1C0BB2DAFD62FA2408A8CCE14F81E680723B8AEA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:15.844{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68817C7FC0C4539B85F51BAC120F4411,SHA256=9F27353DFBBD01CEBA3920CF6BA493F9655B40E3223F4CA87B485F492FE1B6E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.534{A847701F-37A3-63EE-E504-00000000BB02}40643656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.391{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.390{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.390{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.389{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.388{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.388{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000086961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.232{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.234{A847701F-37A3-63EE-E504-00000000BB02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:15.169{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F85D3FB8D5C7A54C370B7BE58CECEE5,SHA256=208BC89162E38A2766E921467DC2136C4F773E015310408561CA80600A72D8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:16.940{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E33F8B9E3EC6037E676FE270EFC7D2,SHA256=BBB6144D7251EB122442977EEA1109EC15D929D50ED33291358F163864C0EA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000086983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.605{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0F5FC54C2506B059F4638C6C8CC050,SHA256=52CD10FF4AB6817B72D33EAAA7822FA2E37F5B31395048713F9DC0C40AC18A40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000086982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.325{A847701F-37A4-63EE-E604-00000000BB02}2202308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37A4-63EE-E604-00000000BB02}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-37A4-63EE-E604-00000000BB02}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.075{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37A4-63EE-E604-00000000BB02}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:16.076{A847701F-37A4-63EE-E604-00000000BB02}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:17.458{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10773B1A69B38ED2FB70FA361AC9918,SHA256=7098D77BE8ACA833866C0A87A86DAB2EC4B3EA62723DF557AD12AB14F56A6A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000086985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:14.351{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51553-false10.0.1.12-8000- 23542300x800000000000000086984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:17.197{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31424247CD623CE7FAE7D059E1DE3F7,SHA256=28EE60672BF882A731C6D80B83CF02C021C2926EB4BBC34238922226302A1F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37A6-63EE-E704-00000000BB02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000086990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-37A6-63EE-E704-00000000BB02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000086989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.668{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37A6-63EE-E704-00000000BB02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000086988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.669{A847701F-37A6-63EE-E704-00000000BB02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000086987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:18.543{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C85A7C51EBE65F502E9841514D9E34E,SHA256=0A48529ED6302E93891B855D128E59ED3FDA482E37CD8106870182D95AE319E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:18.036{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699F17F40BB6776D68E48C6BDAC45352,SHA256=82734E2D6255C851CE6FFAAFA59A6F28AB829BC9324D35CDFC0B2E157B9E2EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:19.626{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748698EF856CC3D13041FC5055E1675B,SHA256=5E3336E0A84C4093613C6B91D119FF7FFF7B0CDED616E12205527CBB1A9EDAA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:17.286{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64568-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:19.117{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C337AD6FC761C5301CDFBECB7018259C,SHA256=3C5AA713105E70BEDF9CF0718C4E5CF337E70CBDA61FADB6DC205D30367A9B2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.997{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.991{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.978{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.974{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.960{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.953{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.926{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.912{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.865{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.853{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.840{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.827{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.815{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.804{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.790{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.779{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.769{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.755{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.743{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000087002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.715{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D223CB8FF916C123E920572F6C06B6B,SHA256=2BAB257FB6548E00B619D074CE24C160D96820AFF5A2CED6FBB98A746988435C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.947{3F28B219-37A8-63EE-5505-00000000BA02}30925420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.691{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37A8-63EE-5505-00000000BA02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.689{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.689{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.689{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.688{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.688{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-37A8-63EE-5505-00000000BA02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.688{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37A8-63EE-5505-00000000BA02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.688{3F28B219-37A8-63EE-5505-00000000BA02}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:20.202{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5378496C0F0A84797F60A38E2E0C7063,SHA256=A23E379D4C816D251195F93776ACE756FD262FFB034D578F1AB99DFC75D266A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.972{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03BFA3AB88361FDBD74E4CB8EDB583E1,SHA256=D42AB0A46E3E95BBA4127BE2E213CC7C7D1A14918D1811C3191D9961B2EFCBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.754{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D663D70A1AB600BE9BC058AC724697DB,SHA256=19F820E4061D10777C8B2219B6939621308CB08AB1C2463DFFB446BC491CAA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.753{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF27A11DDFF982F0C647FAB7E4BC64DF,SHA256=58E634E689C5F10365C4C09D9007D9D13945B84CBBB390E00A85090C7D42BAE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37A9-63EE-5605-00000000BA02}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-37A9-63EE-5605-00000000BA02}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37A9-63EE-5605-00000000BA02}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.369{3F28B219-37A9-63EE-5605-00000000BA02}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:21.290{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DB42ED8B5C1782D06A43F6B54DFABE,SHA256=810B06069BE7E540BB8EFE42D8607D24C1D5B3761B2FB797C459E55FF3813919,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.037{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.029{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.024{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.021{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.018{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.016{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.010{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.008{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.003{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:21.001{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x8000000000000000117342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.942{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37AA-63EE-5805-00000000BA02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.942{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.942{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.942{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.942{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.942{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-37AA-63EE-5805-00000000BA02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.942{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37AA-63EE-5805-00000000BA02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.943{3F28B219-37AA-63EE-5805-00000000BA02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.380{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AAF8AC3B6BC27CF1A91E56E7EC5EA1,SHA256=527EB4151CCA3F9B3C1E88A33305A92B19490D3FE0B532543A7372C6D458C3E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:20.270{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51554-false10.0.1.12-8000- 10341000x8000000000000000117333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.036{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37AA-63EE-5705-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.036{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.036{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.036{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.036{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.036{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-37AA-63EE-5705-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.036{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37AA-63EE-5705-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.037{3F28B219-37AA-63EE-5705-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:23.473{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551434ECF1E788C6650F4CB735BA3221,SHA256=5930D3B954872E1635DFBF6722DBCAEF7BE4CCA35E46DAAEF094DC8823CB00A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:23.473{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3040A41824F7B9DD385D2397F8F142C4,SHA256=AD718EF98C797DB8FD66809AB674449FED50C6AA799D4DBB162EFE4DA72703CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:23.195{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610CF160D5995BBA2AA9AFF30C5432E5,SHA256=D93ACCE3FF06F80F286159E45DA0DF695C63FB934F3694C8C8DEEFAE26D3D693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:23.098{3F28B219-37AA-63EE-5805-00000000BA02}26482600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:24.286{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8693FE79A0A27BF18833706F899784,SHA256=4D70B4A281F7DF088E72B18473C3129F934AEF24A556D4EDA1D0424D5E5C2BC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.838{3F28B219-37AC-63EE-5A05-00000000BA02}58765748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.767{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.767{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.767{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.765{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.764{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.764{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.567{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.567{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.567{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.567{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.567{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.567{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.567{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.568{3F28B219-37AC-63EE-5A05-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.551{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F19D3A92331369E856D3CA8BF2B1BC,SHA256=455B3F5150A3848E8B05396FB64457054221675A966222E07BB26C1F7AD81808,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.302{3F28B219-37AC-63EE-5905-00000000BA02}39805592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:22.288{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64569-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000117353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.067{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37AC-63EE-5905-00000000BA02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.067{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.067{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.067{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.067{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.067{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-37AC-63EE-5905-00000000BA02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.067{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37AC-63EE-5905-00000000BA02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:24.068{3F28B219-37AC-63EE-5905-00000000BA02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:25.650{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A8DDD99963CF835C3FF415D026D9D8,SHA256=CBB23A2DC278ACCD9DB483458A811E62DFE4AF7690634BFAA65CC5FBA715131D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:25.379{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72324F1C8CC1A6AF6E7B09709A1CB2A,SHA256=989D13EBEA27385FC6AE149973C92A8097591CAE2B26A65D521DDB9FDFAA21D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:23.475{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64570-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000117372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:23.475{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64570-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000117383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37AE-63EE-5B05-00000000BA02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-37AE-63EE-5B05-00000000BA02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37AE-63EE-5B05-00000000BA02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.973{3F28B219-37AE-63EE-5B05-00000000BA02}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:26.740{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222ABDA43AD59E3747CBF25D8570081B,SHA256=ED9AF7675DAEE5CAFB9FBFCA6EDF9D5FB1A2D2414D3BBE4890B88DF64CB41F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:26.461{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC4531B7785A2607592E7476FF35AA6,SHA256=D2E9FA0C04216C9637DCFCC64A45F25DF72CAB2F5EB885288B602B78C10E68FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:27.829{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BD6C24345DAAD26D75A78ED5EC57F5,SHA256=0489A2CE2672FBA9F4C7FB4FCBF8B53749BFA1C38256AC225C4491BABE77CED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:27.542{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2345368A0B91B4667513D14FA2EBCE,SHA256=FCF2CDA2B0D4DB35A5B0A33B65B88C1949D43F0D2EE80C94E9682CFE31347597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:28.932{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C3CF88353155057DD4A604D85386F5,SHA256=1ADF20FFBD0DC3C09C48C9D4AD2EAF382EFF289C5533C4B260A0E5340EB83D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:25.315{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51555-false10.0.1.12-8000- 23542300x800000000000000087039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:28.656{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CB00E57DF3C2E096FF6E60B05EF611,SHA256=4772E4D0E1A056B35DCF7253CD193972F8470D573AE4EBFF561D1AE1CA9C15C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:28.006{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49769331E4DFCAAF0B5A95D6541FEFA3,SHA256=D3AAC4B5297D2669724555774E15586511DF539EE1BBE952423015BA613F0FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.961{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C6259626A1B7EE28698E75679CE630,SHA256=E18511A5981B460A92A9FBC5C7E675E98938532A6C446AE41BB296C70CF1C81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:29.742{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD784A3FF72919261213A2C4167A047B,SHA256=2154D7C9C361D7FE16F0644CF943433AFB0D5E40D26D824B8D664CC7FBF2C43E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.521{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.514{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.508{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.502{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.495{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.483{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.478{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.466{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.455{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.451{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.448{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.445{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.433{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.397{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.390{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.374{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.353{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.334{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.285{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.236{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.215{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.128{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:29.125{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000087042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:30.827{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD61E75CDA1565CC88BDDD2E0026D206,SHA256=42E44136E4E9755D55C557A56B75D8F2878C41A4B843CB768A5C7FD521A2602E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:28.242{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64571-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000117413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:30.045{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000087043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:31.921{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA919BAC5B0A2ABBC2771FC035FC17D,SHA256=8A2AB828C4044EB1C9346C9D9459A611BAA1971A485D85C35907D47036956A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:31.044{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB364D082CDE13CCD48C33DF7EA2EBC5,SHA256=3716B268E93538072AB60676248CA4A12817101C477BFE788629250A4BC505A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.729{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.724{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.714{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.703{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.650{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.632{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.625{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.625{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.621{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.617{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.615{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.614{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.610{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.568{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.568{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.568{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.554{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.118{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5D5D9575C62A73B4E19EBB49803D47,SHA256=396873E4FA7A234918CF51886BD8C47C0F154CED45818C8ECEF2CBEC81861B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.099{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.097{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:32.096{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000117438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:33.207{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBFDC980B93931D8D700ECA448EA31D,SHA256=C4989F01864E87893E57E91DCB77A75B91E38627059F2DCAAB1907A6CE3A9FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:33.006{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E11415F950404011E595C4286FA5DDB,SHA256=D95CADFBBBC509818914F975B2FA144C6085325C1C1F3BFF26A4EB3F1EC4ACC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:31.180{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51556-false10.0.1.12-8000- 23542300x800000000000000087045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:34.100{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427D05A307631D15845EEC8057EB34DA,SHA256=C6056C89F71DE5AE341A9CD22790A7A64ACCE6A313003B3C8077C73C07517221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:34.292{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA9263372068D9FA949D382F65F4791,SHA256=4A8E620ECE8363812E1B169BB2B958DF91E165B58A21A8D15DF4CA3BFBBBF372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:35.186{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93816C518EAFAC2B3DAB1FA61EEB98EE,SHA256=3422246E4922F70A3AF20446F37DDFEB080DEEDA55151889D05DA633E58DC969,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:33.396{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64572-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:35.389{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB26485A1875E9691199203424F10EC,SHA256=99BF5124A32C3F31EA359299C8745660395BD4D864E3B1415EE6B2CF709D6587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:36.281{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F810EC9FD23CDF37791B53D999ED280B,SHA256=AE5556F73229FF76F487CC107D732B5A755EF2596B5933EA695369579424D862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:36.478{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD50A843575AD50615F14F8C27EA341,SHA256=9BFE7F1202846BFBE3E56A4FD7709EA0601653101D7547969170C605CB6D3A51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:37.369{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA945E0A60C5B2EF462F4FF2D9D37A0,SHA256=0D2EA521DF28EBDAACD028DC28B06B95F9620D719D64B214ADE578A42438524C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:37.561{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DCD1B2F6950BB9947B5CBFC10E566B,SHA256=75CBD9125120A85A4BEF3A90E36410569843DE893B06D66D094FA6B599AA306A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:38.468{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00504E1EF5100FB946FFA851F3DB834D,SHA256=9B2A77FDC0712CACC263B387342CCDB18BA0E09681D47895C8135D4F2483D9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:38.658{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2741350B891913185F84479925293788,SHA256=2BB2C616302CDE7697163C94ED9EFCCFF8108F874342FDCCE594BF864750196C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:39.744{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24F6E8AEE937FB05F7A62F255C87427,SHA256=6ADD859C0FB5FCCCFD53DC39F3402BEA11598BD95FC21EFB2B87430B591EC814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:39.553{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3954ED6809C877A6E22E95637FBBE8,SHA256=986868E70CDA9D0144B5B83E008DEA7F3EB61F8741F541A4AA76DA9B553C9BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:40.831{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C64EC39BFD45CBE944911744B334F8D,SHA256=507482708F97D0F0ABA70A0EF3FA8786773543F0AFA84BEAD34631A77E5566B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.976{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.971{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.967{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.963{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.962{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.958{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.957{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.954{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.952{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.945{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.943{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.940{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.929{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.925{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.916{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.912{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.898{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.889{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.854{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.846{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.832{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.822{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.813{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.799{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.784{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.775{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.763{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.752{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.748{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 23542300x800000000000000087053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:40.641{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A65FB4E20CC0277BE1BE0121C054C21,SHA256=49C8B82891331140DBCFAA61FE247EF3C63D1D0C45B96B09D3A81DE184074C3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:39.356{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64573-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000087052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:37.222{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51557-false10.0.1.12-8000- 23542300x8000000000000000117448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:41.923{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331615984C1240306A7BFB720428218F,SHA256=2E77AB8BCCCE5FE5925670466C7FC0B58A875E7DB50A0542B609D1163DBE0DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:41.752{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B195F38AEC4F4BF530F8021407A85AD,SHA256=28A024F14D8DE99959B43E34F381589FDA61759EBFD837504677677DA4AFB495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:42.806{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4E6CD288E53AAB3FC34825CF4CD234,SHA256=3AA8020E6B59D54D6540226E89E462C247D262686E42DDAF6716CFAA954609B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:42.790{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=79DF6756D27509DF804E88D3D01A60DC,SHA256=1996EA38FC7349BF1DDFE0B53B06807920095654528FD2DCD739B2A174D80638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:43.896{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0096209F24D4A37CFB693EE315B99F95,SHA256=65FDBA386D26D4454A3FA3C4D27DAE2D1C417D38F2449A3496922CF1A0B7223E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:43.016{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED020384290B5080AB973E1AFFB9632,SHA256=D3D7EFCD75990020E137EA22C7F266C475251CF040169C2F018896FB2A4983E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:44.977{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870F609B6970CD2007ABC6A2BEE91E23,SHA256=D230BF663090B475FE38B74A181AA75BC64AC88D53541E8F1C617D12C7189397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:44.111{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D1602DFB8DEADCAF11494C7F3A970D,SHA256=BB7C951701B3ACDC1D4B33908BE15F9349630567C8CFA7B4ED7E2C304B795485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:45.219{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A285BDE7B91235AD0CFE456B05F303,SHA256=73FC2324BD1B4743813040EF988CA72D27F6BEC6C56139716F5D8F1156FB737B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:43.171{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51558-false10.0.1.12-8000- 354300x8000000000000000117453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:45.235{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64574-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:46.310{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB870347325E99606C23FA628F3ADDC0,SHA256=21CDDA8E8264558CE17672CA7D75418EA1682E9AD5FE5BEB9DECCC22EE808C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:46.071{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7B4A9D798F4D518A0A53F11C3C5209,SHA256=0C66CA940B6FFCF00DDEB4CF3F1213C461A6114AC485B282972C9D9F51A535CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:47.397{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19D1712703C77BFDBDE11233B546B50,SHA256=D5ADF644E8DF36DDA271E93717894248989EDAF36EB29007A66844A4F40E3905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:47.162{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4DFD369120FF025D581DA71F051C5,SHA256=244D5DD4E9348B3ACDEF3DFAC945A7DA9B5EBC8840AC948B77E8442D63573611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:48.507{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155F898CBD584108039E9C1D1FA5F965,SHA256=A05CA913622DB6E734BCCA2B41468A1DEEC9E2C8F5B87DECD66C830D93716FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:48.242{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2368D544F42AB699F41354400264128E,SHA256=F4AC13AD71DC9380BDFE6549C8E11741E0DC56489C8DB56DCD59C679BB7C42F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.572{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEBC3C1F42946AF068DB39FCDBC8002,SHA256=6B97FBCD1ED3F30BA0A6D697056EA409E0EF35DFCCCC17FB5C3E7539AA7F086E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:49.334{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822E453A9F7D5C38732CACAED724CCD6,SHA256=27555EB6A202B199DE65D0DAFC4202829A0AB05DA08F12E74554B3AEC224BCBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.433{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.426{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.420{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.414{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.388{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.385{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.368{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.358{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.353{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.348{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.343{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.332{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.309{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.297{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.288{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.279{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.264{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.246{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.215{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.203{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.193{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.182{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.121{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:49.116{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000087092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:49.057{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-154MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:50.618{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C36CB1C875E0AAA607BC45E3CAC22EC,SHA256=A584FD43AFEDBE0A789653B17A481F130E7C567749A471FC9635F44805F32088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:50.944{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A2F6FB9237F9C3B8F77F3BF642626CA,SHA256=FF3A4E113655A38801CE0315E691580AACACC94CD60D09179B2D43C549F3979C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:50.442{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B9BF51F5DF3475D45D0F75CCAB83D2,SHA256=B1BB69473499CFAB284CB8428F4230634BAADA3037A0E63C01A26B3C56C35F70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:50.158{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000087094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:50.068{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-155MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:51.694{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A0ACF7B5715BAFE3E7929E3D2CC7DC,SHA256=69DDD880755795FF1CE9BFB23BE63882452151F770987A06054BB3747B1221AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:48.235{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51559-false10.0.1.12-8000- 23542300x800000000000000087097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:51.532{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B34AD26073D9A21066CE5F09A17846,SHA256=34D4F7A4A49C5DF8246F448C5FF9294D8D4BCC79737E16B2B3FBCA2D51422748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:52.628{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D51F26AA346202A7DEB3EE2607059FC,SHA256=E7D7A62B31D97A9FDD19F04964D43C05AEB9CEC2E9F02766E106FCCE2F69CFC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.870{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.862{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.848{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.826{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000117499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.784{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04220E153D5ACFBB7E68CF8464216D50,SHA256=FA6135465E3A9824736E65A0DDC18A389F68692546B7E117E448BF009AD20971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.775{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.764{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.746{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.734{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.731{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.727{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.721{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.717{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.715{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.712{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 354300x8000000000000000117488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:51.291{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64575-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000117487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.197{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.196{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000117485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:52.194{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000087100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:53.713{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880D44B88A3256062682AEE17A8AEB4D,SHA256=FA309DC59FA6D5CDB49CCB6C46D8D2F0F074802C5FA47361BAD20835B1764077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.837{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF3D5941AAB9469F548602F717AFD77,SHA256=D5F5C8D063959ACBC6037C0C40533A35434999C96070F707334A77C17E164A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.619{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C1EFEEE1364B1CD95C1F785AA0E5E923,SHA256=6234E5A29C5887220BD766CA871E7B84F0309D1F71A2FBB65362E111563F4E61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:53.572{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:54.808{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67632BEC4C9F207190D7E1FA3844FBC3,SHA256=61D8EC05815FC8C742867E4C845BF51E58AA722F2B90B8B64717A44576350EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:54.885{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D442B86C9228E5069A712FE93EDD9FF0,SHA256=4056D3CC22C496A7499D8A6521BF495EA7CA0FB8817B69B3F50CBB823765BC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:54.776{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E17A78CC70BC813367C7CF15A64E8B5E,SHA256=4F3A74F564B365AEA3415BE1DEB48B2DD8DFBC6609376BABAB9998ECEBC9CA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:55.968{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB50D7F1C8D7A01B06223F4BCC3A05F,SHA256=93EB804678008DBB16B0052AD72F877BCA148E65F2B4B37753FFAC70399C49E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:55.899{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B31208ED5F878FA170D5431175D2A72,SHA256=13C85CE17DC6F8C2EB4E7A06D7539B22C5083BA633A666DC6A546527F9B5D067,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:52.519{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:c0c:31a:f5ff:fef0win-host-ctus-attack-range-732546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000087105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:56.995{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F98498752F9B67D8BC38F335E930466,SHA256=9C7F4EA0A272FF6BC1CDB250397E227C2D304C1A754BDD6219F6667974247E38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:54.146{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51560-false10.0.1.12-8000- 354300x8000000000000000117536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:56.314{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64576-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:57.064{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C452D5C5EBD25F4E7186BACDFD1E57,SHA256=3DF6E2838639A15058E0D3BB5AE1F82603E55F57E442E43379BDFDD6CFC2D5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:58.151{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44FA743C4FB2DEB82429AC2585A25FD,SHA256=1B3AE5B746DE75DE307F0EC8F0D956CF0A6E60F29EA43CB656EB17D86D365BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:58.091{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E742D0A0C158F9A4E9D21F84902E5CBB,SHA256=50B3B5BC63A143624F1EF4E352C44DE6153DC528784BAD62A5355E10A235DC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:03:59.253{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80812581856377EF521FB63A2648CFE9,SHA256=4B376AC1EB259DC1C5B14F77C83F7A14EF24325FB896033D06B0C0622355A210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:59.189{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAEA12271319A84C6938C8DAE4D3DA1,SHA256=AA0320ECCB2215A595951D7CDCF9104FC99FD2523A98D253FF9E4A50E84BECBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:00.335{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557A584C1724CDD340D1770F5C5854CF,SHA256=5DF13FE7D89A9238B0383A76E703B3DBD7559C0FD6EE251A1B7DD5EC5F956F56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.981{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.977{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.975{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.973{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.973{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.970{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.969{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.967{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.962{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.959{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.958{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.951{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.943{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.939{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.928{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.926{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.903{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.893{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.864{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.854{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.848{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.840{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.830{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.825{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.815{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.809{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.793{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000087111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.778{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.764{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000087109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.756{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 23542300x800000000000000087108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:00.270{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC67D50C8B468900AB5998E0D86C0DE,SHA256=21699303A64FD5FCB539433220C377BEA10CB5AD87087C261FD5E62428D8941A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:01.423{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA90B1DF3534DDCA199947660A648DC2,SHA256=28487393654A75BC697F231B97B533572A90C04DD6A2FAF516FDB979462D8A6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:59.295{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51561-false10.0.1.12-8000- 23542300x800000000000000087139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:01.532{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3F266DD67638C4DA604FABD481EFF3,SHA256=98EA0FAC3692566D4C08F8CC029CBF3B9C7FA378AAE6EE1C1A3D8B500776C5A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:01.327{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64577-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:02.512{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80699CA0C62E541349FB245889B22E92,SHA256=34ED07719E63489F38EF02B9AB11E0DD04806DEB73D0017567B6530401FC3BD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:03:59.858{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51562-false10.0.1.12-8089- 23542300x800000000000000087141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:02.552{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777B4DA1AA0FA4F7FA41E7BEB375C92E,SHA256=175D2D5A196A02F5ECACFBC4C503641A119C7EA0BC73BCC4DF93B335DF40FA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:03.705{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D204EE632F795F84BDDFBD00DE2C7C2,SHA256=15CF58CA823EB08093414D6C5A6BB8F4E3CA4E3DE61DB3F17E4C741F43D5C75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:03.634{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52BC04C26A472EF0DFA94AB12A3CB6DC,SHA256=C32532B74AD41A5311BCF6041A56E7D782A5C83EA252555FE12C819DE167E875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:04.809{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0050F1AB3078946470330EDF800807A,SHA256=0E54C257C865793721312999DBE60A6CA9F1F4A8BE96820E263D509B2B977FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:04.721{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A038A271A01E5151DF5D444C494539B,SHA256=0BDEE9A3675071BD384BB096174BB913E8A0973820CBFA3BA67C2EA041480355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:04.499{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-154MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:05.887{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8842AB8F47E30F47EB7462B222EC6D2B,SHA256=855AB454677CDD2A5883D6FCF792BCCBEBBAD550C7E60B39165036A533FD5825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:05.809{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CF413C11538BE87B25A53DC1DA7367,SHA256=FA3592C8D1BA503185E306FE6AFE792E7A67132F07B08DF9F0E5AD52FB5D2C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:05.503{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-155MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:06.977{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF9F0A2C3E6D740668AEEB6B42A307C,SHA256=059321CD92394E52F74FB669EF169D6DD8B8C81D5AB1168A617CB9A0745028C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:06.894{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB38D894A3AE6CDC6EA3DA75020A35AA,SHA256=AE22E87E0304709B3A5B0180C53024328EF16B377A33D741B7B8D1F936B413CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:07.988{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488878BAEEC0531613A772E3EA3AFE8A,SHA256=A02FDBCD6F3CD93350FD019F560BA5F18F0C6296897F0DD45F6C75E450FE6991,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:06.328{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64578-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000117551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:07.258{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:07.258{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:07.258{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:07.701{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:07.701{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:07.701{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:07.688{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:08.067{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4030D88003C9FCAB4066A9F06FE4F8A0,SHA256=B3252F2320C04FC27419AB82DF485C1B4F90C6523F7EA0320B027F147A216009,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:05.235{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51563-false10.0.1.12-8000- 10341000x8000000000000000117579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.434{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.426{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.420{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.398{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.392{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.380{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.367{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.362{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.359{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.354{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.344{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.321{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.314{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.303{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.287{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.253{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.211{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.202{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.189{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.175{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000117556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.168{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5928B9BD85F73CB4FCA09BFBD14EF920,SHA256=B1CDDF46D6E8F5810026C2FA1CDCE61A61E600DAFA5B2EC605E0C8A436EA64EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.112{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:09.109{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x800000000000000087153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:09.087{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2778F8E6B6FEF102838485CEC9381B6,SHA256=D4A434B0495C1F1A3B9F7D3091DA2973E484E749A526BDFD842EEBF3D9C18444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.825{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.825{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.824{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.821{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.819{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.819{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.706{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.707{A847701F-37DA-63EE-E804-00000000BB02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.175{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21322132319D3AB1496A4943B354C219,SHA256=EFE16A3294E32F197F61317B43F61DACBBED4431089F844C8E2140676E21F149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.694{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.265{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-1280-63EE-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000117583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.187{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F7C3FF9D76D70D7E380286C3FA2C39,SHA256=D1E151E8B8E50B55000C021A2A011D92CDA1051E0487970B9E0F7D430CA1EA0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.171{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.155{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.065{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000117594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:11.612{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F081D0E6C9EB2DA5A4B558D1E3785780,SHA256=861933A1E60BA339D9C31DEBC628487CAA7FEA82910EB5593B5890606241F5D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.427{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64581-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000117592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.427{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64581-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 23542300x8000000000000000117591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:11.286{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261DB26EC25D98C26166588C274DA44A,SHA256=2253FE8F711AF81D1A4C99DB3559EF81E694DDC6D4EBC8AD2DF8C6DD324FC599,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.333{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64580-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000117589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.333{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64580-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000117588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.318{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64579-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000117587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.318{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64579-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x8000000000000000117586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:11.208{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0891D06B992A88CA4DECD6401DB2E935,SHA256=530095E75DF0879CF2D8C70DE48B43D103DEF12F0A1EC470394660D368D23980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.866{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E4BCD727F1F59F38BCA7154B608304E0,SHA256=BC7BF8F00722D49D69797408F8C10E4DC03112B837B6363600CA3DC1015B18E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.763{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC6D9F3B6EEAB17999D861DF1A9196B4,SHA256=DA103B36202895E5EE8396CAF436314BA7A0269B038B9E107446D33C41DCF623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.607{A847701F-37DB-63EE-E904-00000000BB02}832896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37DB-63EE-E904-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-37DB-63EE-E904-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37DB-63EE-E904-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.388{A847701F-37DB-63EE-E904-00000000BB02}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:11.247{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4776FB723FE6F5C43F6036146D935BCE,SHA256=2AB075D7C213A8ED410148CC899FB27851F49B1C31DB1E2DAD7010F4877505FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.745{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.741{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.732{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.714{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.673{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.660{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.645{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.637{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.634{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.631{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.628{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.625{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.622{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.619{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000117598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.272{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C312A550EB3C23037307F40FF7B1C1,SHA256=EB4AFD6DF3D6370B655843F1DFA15D7D4EA2B15E51E360328A45308B157DC4F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:12.962{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5064316790CABF71BC50D75F835EBCAB,SHA256=B75224A4F2602B06D6A10638324FB5F3C316802604368DE7206039B53FAEF24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:12.334{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B0D356066BC68E6072C8D51DDE9945,SHA256=92A722E1094AC12FCDC066831AE2FA34BEE45273237B96E686D98FE038556687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.110{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.110{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000117595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:12.109{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000117615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:13.335{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAA5BC22593A9D946961F574EF44AB7,SHA256=EC209E13AEDBA2D31AA433A5B65DC935263017B939979C2B4683BDC70E32E0E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37DD-63EE-EA04-00000000BB02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-37DD-63EE-EA04-00000000BB02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.525{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37DD-63EE-EA04-00000000BB02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.526{A847701F-37DD-63EE-EA04-00000000BB02}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:13.431{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6370E312316C8BA06D202B5A7F942D,SHA256=3A1582B6449D9CA1C9CA37BF465CA8F91C0C8A7423492219727BFEE859C9AA33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:11.366{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64583-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000117613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:10.837{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64582-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000087193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:10.335{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51564-false10.0.1.12-8000- 10341000x800000000000000087222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.834{A847701F-37DE-63EE-EB04-00000000BB02}36122220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37DE-63EE-EB04-00000000BB02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-37DE-63EE-EB04-00000000BB02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.615{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37DE-63EE-EB04-00000000BB02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.616{A847701F-37DE-63EE-EB04-00000000BB02}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:14.537{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B523D39F9A3111B183057C991C4C13F6,SHA256=BC6D310F51088CC9ED5E634173299315DD3CADC01FA9C98B834A21E466144C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:14.428{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64B4A0FB7B7CF90A878B94E19D3CBED,SHA256=32AEB5676B35085CE77CABF97F6C6380190827E640F44E0A03B0FD3EF4AA62A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.783{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:15.510{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4187027B59805966A62B43B2C1F64FC2,SHA256=11822EF4A8C569F615D620E6D7DEFF1DD2DD5A9E7A9008893BC89DB6273DC93C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.299{A847701F-37DF-63EE-EC04-00000000BB02}18922940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37DF-63EE-EC04-00000000BB02}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-37DF-63EE-EC04-00000000BB02}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.112{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37DF-63EE-EC04-00000000BB02}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:15.113{A847701F-37DF-63EE-EC04-00000000BB02}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.845{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B9E7F8DC93A5F0EE53094755955C16,SHA256=AE4CCE5BF6967B953BD5C5407CFD260B0FBA51F3B8BC88AED016C94A385AF667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.845{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64D5C71AAAD5CC5E47F376BD57F24EBE,SHA256=C4A1CAE6570A2C311EE4D84EA873A795AAEA19E5DD7DA1D53779E3A1AFEC6651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:16.597{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA90A68F3A369B77953A114402A7217,SHA256=808561919FB45AB749B8DBB7813ED0A0D9712E06C6DBE6716357266C1B508CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.272{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414651D164DF4FB1EEF898BD6B55B86A,SHA256=3F66F4377D7616CB6D3B80A1F0DCE046CC97A8871842845DE837806F7FC24BF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.035{A847701F-37DF-63EE-ED04-00000000BB02}27724028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.014{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.014{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.008{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.008{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.007{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.007{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-37DF-63EE-ED04-00000000BB02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 23542300x800000000000000087260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:17.933{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1BE760B8D47D942E8EAD1EC61BB8FD,SHA256=5412F934C257CD2621C412B39053484922EDC953C77E029CEF03372FEC6B4C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:17.689{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93C93119E62F2F144ED7AE299B5DF3C,SHA256=509B4493F120E44EC99B06EF871863A9A6BE11903D4FF13421AD486095EF9FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:18.761{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B203B91D4CE0544D9025791238C4795,SHA256=ACCE2F2B1476A296F4DBBAA72FAE65307CF2873259C7D14852FBA3C05C84D27F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-37E2-63EE-EE04-00000000BB02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-37E2-63EE-EE04-00000000BB02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-37E2-63EE-EE04-00000000BB02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:18.677{A847701F-37E2-63EE-EE04-00000000BB02}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:16.396{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64584-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:19.847{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBFE706DEA95A4574DD0A13A378C5C4,SHA256=59FB8A8D5EF8EE865F87432BCBD24B54E1D42F9B058AB0459A274F91E67E2120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:19.035{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C52749A38BA0FAB4B9EA0EAF9F3DCF,SHA256=580451FB7F8BA4471A8FD0F8BBE64C979BC017B8D4492C85501AA449525447EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:16.359{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51565-false10.0.1.12-8000- 23542300x8000000000000000117637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.938{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022206537B8EEEEBAE96D68653341810,SHA256=5F7AF88F56DB6464EE2D9685482DBF461F391A8CDC6B8AA6C159BC9D38468485,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.983{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.980{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.976{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.974{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.972{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.969{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.968{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.967{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.965{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.961{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.960{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.956{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.941{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.938{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.929{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.926{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.904{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.894{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.862{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.854{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.842{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.832{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.811{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.797{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.789{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.781{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.772{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.762{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.758{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000087276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:20.120{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A152C75BCB8D328ED6222B3C526633D0,SHA256=48518EB5EA6C4D47FDB72660C9D25949F31F3A0A651013B3F557D9ECE7BCDA67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.792{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.791{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.791{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.790{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.790{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.790{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000117630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.691{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.691{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.691{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.691{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.691{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.691{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.691{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:20.692{3F28B219-37E4-63EE-5C05-00000000BA02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:21.409{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531DC821FB95B5C71D2F836B7DB20CA5,SHA256=7416B69E47401DF76A8656A7F2C7929360C95B37F33079472B7C906A93E61FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.839{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3EB03C21993251F5C798685FA5CB38F9,SHA256=C67FF9F88F4E499F5FD96655B6A73FFCCE8009782E21526B64660B23EF061B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.785{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72EFF9D2608016123FFFC5756A363195,SHA256=07CC315D5CEDCE4CDE70E22081CB9D75A277F059D7375AFFFAA563AEFB532EEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.547{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37E5-63EE-5D05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.547{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.547{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.547{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.547{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.547{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-37E5-63EE-5D05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.547{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37E5-63EE-5D05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:21.548{3F28B219-37E5-63EE-5D05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:22.508{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEF427A8F85BEACE47C9E7B0381EEEF,SHA256=7879BC9C311B0BC78030657B106352F4B61F4FD4E24E82BF5124D68A52B19E73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.955{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37E6-63EE-5F05-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.955{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.955{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.955{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-37E6-63EE-5F05-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.955{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.955{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.955{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37E6-63EE-5F05-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.956{3F28B219-37E6-63EE-5F05-00000000BA02}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.768{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8EDD6A03CB5F90F6BDA12B725038A918,SHA256=CB79EAB353BDD3B9B270531F9602FB9ED1986F9244C3919CC82F88EEF1A6D078,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.468{3F28B219-37E6-63EE-5E05-00000000BA02}69924768C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37E6-63EE-5E05-00000000BA02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-37E6-63EE-5E05-00000000BA02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37E6-63EE-5E05-00000000BA02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.218{3F28B219-37E6-63EE-5E05-00000000BA02}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.140{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C717CC311018C7A2ACB63F8E0528E081,SHA256=DCBA02EB8BBA44DFD1F3364F041A6B3DA142ECEC986482ABD7098158C7EB058A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:23.597{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B319679D9F1019F627800DF2791ACB3E,SHA256=D78D0AEC84362235957044B204DD2FB52FDC3783A78499EE6EAC788DF5497C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:23.255{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD4CADF3D4E28D385FCC956DD86A555,SHA256=1C48BEB27120380E3268F64B70800C0ACDFC258FD532FFFAFA9AC481B7859FFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:23.162{3F28B219-37E6-63EE-5F05-00000000BA02}5244496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:24.688{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97FF9466974044BDAD55B25691BA5B8,SHA256=79B7E323EEF41DCA3AD1FD540EEFC1B00046AFC4B2F4595B0052D48F450FD602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.770{3F28B219-37E8-63EE-6105-00000000BA02}39963164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.582{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37E8-63EE-6105-00000000BA02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.582{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.582{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.582{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-37E8-63EE-6105-00000000BA02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.582{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.582{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.582{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37E8-63EE-6105-00000000BA02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.583{3F28B219-37E8-63EE-6105-00000000BA02}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:22.236{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64585-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.332{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5FE8466BCCE516FF9532103E038721,SHA256=4812E74341D1B81E2B1239AD52FCB5851EDA4AB40ACEF8D771753370C36C20CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.301{3F28B219-37E8-63EE-6005-00000000BA02}69441968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.082{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37E8-63EE-6005-00000000BA02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.082{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-37E8-63EE-6005-00000000BA02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.082{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37E8-63EE-6005-00000000BA02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:24.083{3F28B219-37E8-63EE-6005-00000000BA02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:25.794{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A73CF18595DBC5F819FBAF71EB02BB,SHA256=79D21F867A857A47601C9D8F914B3496C0A0A66A6D2ABEE51C91467FC2186704,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000117701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000117700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00922881) 13241300x8000000000000000117699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d94207-0x31c943e3) 13241300x8000000000000000117698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9420f-0x938dabe3) 13241300x8000000000000000117697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d94217-0xf55213e3) 13241300x8000000000000000117696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000117695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00922881) 13241300x8000000000000000117694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d94207-0x31c943e3) 13241300x8000000000000000117693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d9420f-0x938dabe3) 13241300x8000000000000000117692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:04:25.752{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d94217-0xf55213e3) 23542300x8000000000000000117691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:25.408{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6CA78B2823BE05E547DEEA3008BB3E,SHA256=A05527A471A21BA041DE7FFDF629F8B396B94941E7E92EB62F6A5E228FA7CAE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:23.476{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64586-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000117689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:23.476{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64586-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x800000000000000087310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:22.259{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51566-false10.0.1.12-8000- 23542300x800000000000000087312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:26.874{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52454BCD859454C10AE35E4CC4185E8D,SHA256=689C5E3C26500136487C45F26BFF3BD7E6E833F3C637D4AB6223B3846F72C050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.873{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-37EA-63EE-6205-00000000BA02}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.873{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.873{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.873{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.873{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.873{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-37EA-63EE-6205-00000000BA02}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.873{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-37EA-63EE-6205-00000000BA02}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.874{3F28B219-37EA-63EE-6205-00000000BA02}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:26.498{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F5B4122B1BC6E252D4D1E92970594,SHA256=C892BAC5B7FC78473D9572422441470B6AD03A153DEC979F6E79A0C860DC0D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:27.959{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B8A6D9F346AB847CDD7F5BAA853F74,SHA256=E08F5283492A9DC12C0821B138ECFE71DA3749E4C541FCFDA365DCC20F805485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:27.877{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=497CD899B5E996DEDB1C445FA7A25BCC,SHA256=2FF292790E90AB5A66C5DA2AC071EB4EAEC5AD88D797328E3BE2A9A1A9116AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:27.587{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F4BF61780F4703BDFD161C9948D914,SHA256=2EC4010B7CA5DB6F2DFF5732F3C4157E587C3C041A26E53A518287F57983F7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:28.682{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9167FA15F3EB790AA5757C4F3504B69E,SHA256=909C911F609FCED76EB9E8DE6C7B963A4AD77C32197FD1B461D7E4B65D289C96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.968{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000117740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.743{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C39DDCD9BAF5D1DC03B174C993ACD0,SHA256=2432AA42A329DDA393D180ED8FBF1BAA669E360F810DE742D763F3B626D4AEE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:29.037{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00676D6A0E4C9697B94F3ADEFE0024A0,SHA256=78D2FAA32F9ED9A8A4C449D34E160AB6D4D83FFEA5E1E5969D1880F2AF70FD61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:27.341{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64587-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000117738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.467{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.462{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.460{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.454{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.447{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.438{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.435{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.412{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.399{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.393{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.391{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.384{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.378{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.364{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.358{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.348{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.340{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.331{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.320{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.283{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.273{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.264{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.254{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.135{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:29.129{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000117742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:30.822{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166E77BDFBF12392E9182334F98D84D0,SHA256=0C893B3293EAC2CC05A32F480B7E0E4C94F75179A2176952BDCCD163FB0A4CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:27.294{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51567-false10.0.1.12-8000- 23542300x800000000000000087315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:30.134{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2757488E2DC7D84357349CD1D1BBE23,SHA256=49E3DD155253D938B10F84EF6A091413059177F9531BA0B9AF2D4652C1A14EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:31.892{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C8742E51BB80A41533007D593F3F9,SHA256=A2D80E928D52D5E8FA8419802C14DB7480AA0558F4081BA0E5186FC53E225170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:31.211{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D29308DF5C45BD70A958DCBEEE1D12,SHA256=469B91CB703CDEEA9EB6D5095AFB1E76FBBFD535BFC56F7917DC0EAAF9F6B269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.968{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D39F192788BF2D3A91032F08F5E0AD2,SHA256=6AAF733E570AA15BECD2B6B42B47045A2AC010D33BC7DF59603F3A13C6C90038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:32.312{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A75765490E56450E9A30E64B13ACC0,SHA256=6BFED7C876B9F78CE2EE844607368A436D30C3A1E1A38C19ADC48683D8D928A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.680{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.660{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.628{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.602{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.558{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.552{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.546{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.530{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.524{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.522{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.519{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.517{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.513{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.512{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.509{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.006{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.005{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:32.003{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x800000000000000087319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:33.421{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED4BC23BEEC99E3B1BCE2D322E68636,SHA256=451D442EF1BC350769B6A8C99F434786B729A4A1C6A651580E07CC37D47E06DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:34.504{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A09E59106F6C22DF166CDB4633538F7,SHA256=94B1A41AA871385AE22A711DE87AC4A974EAFD3A7D8178DC1A48641141CF0FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:34.084{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6395482DB227F2B93DC630D7A5621CA2,SHA256=0EE5C6FC384783C918E19884B363C395016E3C47E60286956D65DA06CB32A6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:35.582{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3341E3D6CEE0C6D20B5B8F98E2711F82,SHA256=EA1BC1AA06C3FA7904B258CD44699056C208C820B6984766BF8D3F05AC553139,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:33.202{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64588-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:35.172{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76E3E4530EFDDAC8397B66F4823FEAB,SHA256=97EBAC99B23890385D00672F214DCEDB8892A052F5BAAC3A4F500535E1D853C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:36.664{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD99DF4A305450899F0A956B49F26B8,SHA256=D1213606DB2BE4E1867F50899B8487C7871AA0ACDA4943D14E3BC77118C60FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:36.263{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33FCC4F05A069FD893C3308A2D011D6F,SHA256=37072ED3A87E5E5DF130A5EC42C2828BCC4D217F080F8F3EE494CE80F5A5545B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:33.284{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51568-false10.0.1.12-8000- 23542300x800000000000000087324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:37.787{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599032572B8C88178E91CB8DE30CB686,SHA256=782DED7EE575E4EFC032C172946BDC02B23DE023AD55C56CC532C241EE0CF31E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:37.371{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EB0A762A4C20826508A1608288CCA7D,SHA256=A4EA166A1FA5AEC0073404DAC1E78CC9083E8C81D793F356D7B4476E0DDC40DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:38.872{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61EE21ADDCDF25CEB913BC589D7ABC5,SHA256=C3CFF1BEFCD6201888516CA92D5EA004F176498B78D18780CDAB9CB1CAE1692D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:38.459{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F771CBF956B18F765E1F1867D3423468,SHA256=B67AAE4BF43AAD29DD1429F3E95E2F65510F5631765E0055ACA0F9195FB11387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:39.552{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027518F56D20C892FDAE0433D45FBE00,SHA256=165A142F66273D0B7DB788011F1E266AF7340F000179B15D2F3D33D9FDF6D1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:40.641{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82385EAF2A3C42CDB4244FD3C462EC7,SHA256=88397036DE030DCB46005192F4CB0D197343AF110A68B384EFDB34AB087215F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:38.337{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64589-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000087355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.992{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.984{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.980{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.977{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.976{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.973{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.972{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.971{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.969{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.961{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.955{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.951{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.938{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.930{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.922{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.917{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.898{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.889{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.859{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.848{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.839{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.833{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.823{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.813{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.802{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.787{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.778{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.765{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000087327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.759{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 23542300x800000000000000087326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:40.071{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC9B34E1E78D5853F997EC9CC6866D3,SHA256=BB2643531F655D63946AB68EE6EE0720D8C4FE9D980F99D88ED882B412C166F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:41.749{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D73B940555C15961741EB10E541C17,SHA256=545CA9EF11ED739A0B802F04667A148005564824E242E49D90D7D3E66D0694CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:41.624{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA394E1760CC7868A09ECD3923386AC,SHA256=8094240C42E1447F1DCFB392C47D706F9D60E9B8E2F228D831D99C321E7B7E1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:39.284{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51569-false10.0.1.12-8000- 23542300x8000000000000000117773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:42.826{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFADD2FF110A970A39DDBB562937A9AC,SHA256=D0F223E7CF28244DC020715F6002251470522087E5141ED2A6FD71BA8BF98828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:42.676{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A7FA3BBC1B2C4E76166A71C68BD321,SHA256=6B7328C51F20900FF9025906D808B0B16C231C4BF7343B0F67A6C26938509D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:43.912{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA55231B8863EDB33E08ADE568E4336,SHA256=E0BC19089AE43109FA60E0DDB771E4B7F48BD73CE74B7DDE4EBE41A25E60979D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:43.767{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE5617E6CB2F59EF23F44DA15D2EE56,SHA256=C2E738AA5937E7F8E6A23FA822D1DD65F3AF089DBC51099F4E86B7F07528D946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:43.125{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8C9EB288226ADB92C15F6A039165E087,SHA256=EB96C6F95CE0DAC0FA45E6C26BF420D430844EDD8A28133E5E61E537CA17C0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:44.990{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887BD59CD0381030DF580FEA222FB800,SHA256=7E30F4506548723A7995BCC5EDF22284E3136A94307FF2E559F2A2D99BFD8E50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:44.859{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735F914D4D5D5DF36DBA605FFAA687F2,SHA256=BBFCF749F43CC20BD7062D0BEA40E05A99120921FC4017417CAD634C0BBC3989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:45.959{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9CACBCA0D33E2E7CAACC0303BF7A0D,SHA256=2A512C6DB15C413F79D4B5620F47F920A3A663E76591C716EF59C1BBF963FA2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:43.416{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64590-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:46.087{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4C7DD74D1E97ABA0AA370022C73091,SHA256=F45CDEAF325838F2BD240B22401EDF800084C2AC86DF119DD07AD79146FD7A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:47.053{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6308F96B8713F6CB4FC8407C52F473D,SHA256=E9CD6F5B1B4F914E788891C840F0DB2D377B1D91330D9286A3E648EFADABCDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:47.177{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6982EEDE701DFC8FC1D1A0A91880101D,SHA256=844872B357B93A6A4D34DA8847C816A4E6A29A2C5BA0367968462C2D5A4096E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:45.327{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51570-false10.0.1.12-8000- 23542300x800000000000000087364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:48.152{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E379C9EBAD5A92B5EA912ED0E15B389,SHA256=825E96C765F4297FF5A2734D35E33E38141B19FD875D67A8F212FC049599828A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:48.253{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF2283E35C2248BFADF55704ED6ACCC,SHA256=2FE78C2F528F04D6F5DAB078B098B16F061788FF8C4DBF982BA72A83E8A04DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:49.241{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DDB9E6080DDFCF67F1BDD6B251A8F9,SHA256=0C91475D1B77D9D4FC2732C9FE59C18B8663221DB668497AA2A92F8DA2097C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.951{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.453{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.447{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.445{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.442{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.437{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.427{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.425{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.417{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.410{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.408{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.405{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.401{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.382{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.352{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.340{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000117790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.333{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8AB4DD0DE17A48D0A85CD2AB0C2924,SHA256=62B34AC5DC541C76894013DD3C13CC097D0E9DCC6D7A28DFC303872AD56D0F32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.322{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.301{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.283{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.264{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.217{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.200{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.182{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.171{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.115{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000117780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.113{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x800000000000000087369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:50.948{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D19B46E117C1D5D49E2B546627E8DD18,SHA256=857A581AC61BA774CDFF057D1843FD38DBFA2F8CB1108ED68379E28D3FBBB4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:50.592{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-155MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:50.323{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DCCD97AB1AF674BECC508FC977D905,SHA256=498B3384DC9F471FC52B5BDDBE38D898AC570E498C145B3E05E6BFE3A7CF4EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:50.377{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F07E6A704AB9CE45379EB5B4BC2313,SHA256=B6BE6B98FC51D5DF98EEF2DC4EC69078DC191DE76F7A5A950FD1E5B0D924F20C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:51.604{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-156MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:51.400{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991D5EF1707248B4BC45B3D887BA87DA,SHA256=D3C820375294AAB39E059AF6C16F22E10EB22B888074BFB2C7561C48076130B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:51.990{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:51.989{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 354300x8000000000000000117810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:49.213{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64591-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000117809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:51.987{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000117808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:51.475{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75743DDD7BD22E49787D2D77A044D10A,SHA256=DE94732248134E74358B9E4487DC33C29627B244E6282863398F7C9BC379F33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:52.475{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13078BDB218665F78757F3BAE6D4BA1D,SHA256=02820E5AB4F1D0C1497277FEBC052BB474E9C966748C94DA5A4DD7A8828473A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.618{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.612{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.600{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.587{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000117823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.555{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6437599960B39B05ABD67BBB635809C2,SHA256=3C903DA232499E91BE78A41E61DB1F808D0F694531605F909891AD6BF9D5A224,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.548{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.536{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.521{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.514{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.512{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.509{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.506{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.504{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.502{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:52.500{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000117831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:53.757{3F28B219-1285-63EE-0F00-00000000BA02}3041232C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:53.757{3F28B219-1285-63EE-0F00-00000000BA02}3041232C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:53.538{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D1C918F7B0BECB87BCE00FA791EBF9,SHA256=1E7FF5C979A12E8D9262DDF00AEA2DB7B6D528445B9F42FAFF363EC5C0EDC16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:53.560{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD93C933BC62E681D988A72C3B5B02AC,SHA256=D36C683C5ABA5F3B12D5AEFE357DC24AFD1B2D0075139680858A42661ED491CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:50.347{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51571-false10.0.1.12-8000- 23542300x8000000000000000117828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:53.013{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=54EDC1A39F62C16DF109DD56351DEA88,SHA256=9B6A0AADC0002E0E027268E941227F70650C7888834E61124F9C29AFB9C49EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:54.790{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EFF6FDB0430F7C99C4DEAA00A45BD655,SHA256=8EE4DE720EEE263740AFF313F1658E7B408868DE03F0FE901A7A7D7864ABA674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:54.618{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F2921F36A2A3AEAB5C5C460B4E56E0,SHA256=23D62246A125580854526A3BC744A4AD29326A473545F1FD474ECEB32A8253CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:54.650{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2330D71A58A5269B2E2A3292192B7CE8,SHA256=11F31351B0D9BFC4A743885AC9E29CA9A9F6B976B72A4DB686ECAC18E40123FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:55.714{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5048EFD26E54172B436BACC60F572F,SHA256=40EC8825A70F328DBBC50FFD7C59AAE08E77F05D2F39E767C7B7650868C4EBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:55.738{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD40A59F284B42DFE714B1C1AE5ECC3E,SHA256=531E429FA3E552205EFF5FA6F60749E42370C031CED0AFF6E6AF16AA074C44F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:56.805{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D19D1418675155E2253021D1F9391EC,SHA256=E96321092C2534B2ABBE8F0B6D916484EF49906DB97B5A13D1AB27FB29410949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:56.824{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F3BA2D35B9CDD60A8FD262C8A4F4FD,SHA256=C967CA2A6C99E9A77BFD67FD91ECC52E705D9011EAC3E772FC6C7533E09A477C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:54.321{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64592-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:57.901{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B42758C538F514957BF3937B471E598,SHA256=00AF1A0CB8B08E60AB85A882285EE7E46DF6D47790E8C11E8333D835778DA63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:57.911{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B941D8AA459943875A9FF45EBCC412DC,SHA256=49C073F308EB456A278A81FD011A6B30DF7AAB36606EA2AA1D9C65CCC096088E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:58.991{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A07F1B1B5E32FA7280C47800062627E,SHA256=FB7702AAACEBAB03574FFE39F9B89F7184BA4B372A0A4AA1368D0F56206D6EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:58.995{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FEB20AE9572785D174C8F0E00DDF63,SHA256=85EF6E9957799CE3A320CED5C5E3B180B52D9A8EEE50016F1B63CB9B09032EF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:56.114{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51572-false10.0.1.12-8000- 10341000x800000000000000087400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.993{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.979{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.976{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.966{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.964{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.944{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.930{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.884{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.869{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.857{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.844{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.826{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.812{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000087387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.799{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.792{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.775{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000087384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.770{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000087383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.763{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000087382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.753{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000087381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:00.085{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C21D2F1F82FF0577AA067A4D2D98BA,SHA256=F8CA0BFBC1C482B1B2C7D1867AC6994520FE49DC76CA118C0A0A355A491424EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:00.074{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C79EA25BA5C280317A6F5E0B082E36F,SHA256=7B10D3733F29B0FCF7397EAF59CD8FC01D87024572D1881EED5D4AF14FE0DC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.474{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1018C68989F2A08928063F2D69308427,SHA256=69045D4559754F1319FAAD566D0CEB287475AD71732B00E5BB2DFC60E679A6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:01.154{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A4DE76000036D577F59B300792ACE,SHA256=91492F83ECEF61FA421C6D290B9C7ADABE12809B7CB70E069D73C6A18F033256,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.035{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.030{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.025{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.022{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.021{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.018{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.017{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.014{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.007{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.002{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.000{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 354300x8000000000000000117840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:04:59.397{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64593-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000087414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:02.611{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6A9368C1BA264E8B23734D4D36131B,SHA256=B0DBB1BB3DB3C7F1A69C642586304FC2BE14EC49D716AFCCDF6AF1E8DF751A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:02.238{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815EF8A26532303FA4DB2405D029A7DB,SHA256=67BEF08E2D0CEF8F337EB19715370B33AB2F7BE03E482057BA87199D58E58560,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:04:59.883{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51573-false10.0.1.12-8089- 23542300x800000000000000087415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:03.703{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0711A28BEF90A869525F8ACF249941,SHA256=A60DC419B074ED5ED72EDC51F07A7FD1AEF77CF0B6DF9320A76063ECD3917635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:03.331{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BA9FB07A9EE5292F276AFCABAB8377,SHA256=7F4A2887227D753CFB45A0C145D4098CCE50CCDEF5EEC41B85B4D4528E513A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:04.795{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0BD9363403AA9454F1C969226E732E,SHA256=A9DCCFEB342F3C5C8609AE295D5E113B38014FF3D87A486F42D04EA087013D0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:04.955{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-1280-63EE-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000117844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:04.425{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2142F566126AE09FA917EDF35281AC4D,SHA256=DF1D4A8D6043522A1976C74707A48EFD659FA28B59157EF763F6B4DADF61112F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:01.291{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51574-false10.0.1.12-8000- 23542300x800000000000000087418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:05.877{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1C4CDC99BA24B4D42F5957E0A6FCF9,SHA256=4EEB7468D3793CFC730CE337EDAA1B9576BE04C109F14F1E5CA19645E4EC1AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:05.519{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC6D42419C830BFEACB399444C0E7BC,SHA256=BD69BAF6338FFAB7DC3FC3E3E6125D9A92AB47CDC52810CD8B0828BEC1CFBD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:06.961{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2B0EE4B43A8A3143721C62C84904AC,SHA256=FD7E0EFEA21430D7E925EAFFB66B27B9CD9B82C19A94A8DB62AA94CA80109E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:06.622{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D82E5D6FF5B542C0720C3A1C46984D5,SHA256=391555AF6738E9861E0D790F48CC640CA35E71B3E0EE42D97BF48008A79F6A7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:05.192{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64595-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000117850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:05.115{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64594-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000117849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:05.115{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64594-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 23542300x8000000000000000117848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:06.075{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=607CA3C0831EC84D40E087EB68E26A33,SHA256=AB5FC480C45D855E3F6D076F1E77D8F517F3B1E702ED1430A65A9A5240460BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:06.018{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-155MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:07.716{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D559DACD79532FA068C4351ED601C9E,SHA256=1720839299273BE9089ACCAC7AC851CB004375843BEAAE02DD33E23DBE3A300A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:07.689{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:07.018{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-156MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:08.809{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD499C0148C3558B3AF516B8A50D245,SHA256=35C3F09A82CBE95EA4083CD7055C0A14120E0125EE2204181A56852A8C65B7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:08.056{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF2881B530C8E62A87F5AEEEDFFAA8B,SHA256=E5E865B175B86191621E5AE447B525408D9E71EFDCEAB0F3A398DA19CCBD3972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.849{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6F44868B8D3F61AA8274E359938286,SHA256=C38504C5EE1CFEC8FA4714FFACA4E171C5FB271A0438B039DD31DBBCDF7DE500,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:07.206{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51575-false10.0.1.12-8000- 23542300x800000000000000087422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:09.146{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273F3903845AD211F70A8DAB50062B83,SHA256=15AC439D068853ED01FB0677692360C5FAC84237BECA1CA6093DB1A74B38FF71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.545{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.539{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.537{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.530{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.524{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.515{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.509{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.487{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.472{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.469{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.464{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.461{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.445{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.425{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.419{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.394{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.376{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.345{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.285{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.259{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.230{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.201{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.131{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:09.127{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x800000000000000087437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3816-63EE-EF04-00000000BB02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3816-63EE-EF04-00000000BB02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.706{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3816-63EE-EF04-00000000BB02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.707{A847701F-3816-63EE-EF04-00000000BB02}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:10.224{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FFE4D3167012773EE56C4C7B945CD4,SHA256=6B89FCBEC1DC1A3710922262AC86F61FDB8DE532FDA62E81CDFA15EE3806C79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:10.715{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:10.183{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000087454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.930{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=991A2629709A2935898F16DFDE14BD83,SHA256=24BF46FDC2809B28FA3DB3AF9260926F883C490988AECB89566D4E6FFB90B8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.749{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AC9AF07C352171EB13C20D73D032882,SHA256=D168781E2E72F805CE078936A3076EBB5A88F88E3228DBE4800E440181D4BF76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.546{A847701F-3817-63EE-F004-00000000BB02}36961076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3817-63EE-F004-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3817-63EE-F004-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.389{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3817-63EE-F004-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.390{A847701F-3817-63EE-F004-00000000BB02}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:11.311{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD2063ED59841297241F564BEF807A2E,SHA256=5C6D64C6BB74D6E667D4989DC7FF6259F2A6BFBE2FA2AF7A1994824D19C5D788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:11.016{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2FE9B19FD54FE835B881B565C97AE9,SHA256=3AD375B6AD67FE6DE95B5079BD7B8A1870BE8A1AED2987AE88DA1CFB0996E87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:12.388{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAA82F99852FD2FAC70DECC4711B039,SHA256=A38FFBDC0C0C6E8E4D72064522A5E313D9C693C7DDC93D4546768E4558F37916,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.827{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.823{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.816{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.804{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.778{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.771{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.757{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.752{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.751{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.748{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.746{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.743{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.742{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.740{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 354300x8000000000000000117889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:10.311{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64596-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000117888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.223{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.222{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000117886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.221{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000117885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:12.112{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9958FEFC29531FFE69069173FF7A7D9,SHA256=73BD7ECACC8B7795835C8CA28110FCAFB66FB1DB4F241BE5D4F61B63907333A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3819-63EE-F104-00000000BB02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3819-63EE-F104-00000000BB02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3819-63EE-F104-00000000BB02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.542{A847701F-3819-63EE-F104-00000000BB02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.463{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068C99913AC56BAB0774EDD6EFC8ABE4,SHA256=18D2A128621DA1E28F3704DB9C4E5FD5449FAD6443A2A8C5B2778727C9212FE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:10.852{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64597-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000117904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:13.204{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337D5F467D399762948A467C54933B1B,SHA256=8F9355E55271F86C83C8E6D88AD63CF05B68936F62148BA3D5FB166C371783B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:13.323{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2463BFA2C9FA3F01215FFEEECDF9E960,SHA256=17317B895040934653487AFCDB35DEB75E87E069D9E60CC533EB588B3E83552F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:12.364{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51576-false10.0.1.12-8000- 10341000x800000000000000087485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.781{A847701F-381A-63EE-F204-00000000BB02}9243884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-381A-63EE-F204-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-381A-63EE-F204-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.624{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-381A-63EE-F204-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.625{A847701F-381A-63EE-F204-00000000BB02}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:14.546{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A2564A47F138DE82F9403775CA7B6,SHA256=6F0EB09FE725A0FACD89C1D26D9A4A720F91668B0BA4C71E17CE3C5CA2BE93F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:14.300{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9390273DCEE563FE0D88A84A6CB070AF,SHA256=0799400F134FA4BC1B4539123F478E2765F0A47ACE7AF18D37E1EAD45B937FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.941{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.940{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5374EA1B7245B7E9A5A199CF27491EC,SHA256=78504F16B6369C328ED0EF3C49B779D6620244838F4392C557799C94342CAA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:15.392{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CF15899762455E4777C18A203EEFD8,SHA256=346DE39946D0F53A04A7F53E61E0F34B4A596BA161E08D4B0B97A2DFEF43646D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.487{A847701F-381B-63EE-F304-00000000BB02}34962404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-381B-63EE-F304-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-381B-63EE-F304-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.284{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-381B-63EE-F304-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:15.285{A847701F-381B-63EE-F304-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:16.807{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C161B2C65A0B855D1ECE1834B82CB786,SHA256=B05EA9441C31DFDC205D97E707DBD9CBDECAFD72A83220027F6FBE29F598F867,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000117909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:15.395{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64598-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:16.488{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1ED3C675132D48B8465E57CB3F2FCC,SHA256=677E7940731FB0683D40664FD559F1D5C5BD26C1BD60B0E4003E625F7198E36A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:16.160{A847701F-381B-63EE-F404-00000000BB02}18122548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:16.104{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:16.104{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:16.104{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:16.103{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:16.103{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:16.103{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-381B-63EE-F404-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 23542300x8000000000000000117911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:17.566{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1188D868CAD20A521DDFD1D88193B2,SHA256=2A0BA3D28646BCF6B70C411FAAC40EF4638CB4CDA02825B77C03565247258F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:17.048{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C461EFAF383601DA14E0F263F2E8A2,SHA256=CAEF70333457C748A3579AB59E5A73C44CC7DCD1A728FA703853A60A16B1765B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:18.661{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2017488DD9DAF4A426C5D797CFC5E58C,SHA256=EACD9F3E8C2FBE260EB0728D0785952A05BD8E791328A9578DC18B5D66ECBC65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-381E-63EE-F504-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-381E-63EE-F504-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.704{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-381E-63EE-F504-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.705{A847701F-381E-63EE-F504-00000000BB02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.141{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A30BB457DBCCCE593C30DD966BA661,SHA256=C21F33CF3B9776EDDD0BE643CA69B8D8DB1D38718E0B4ACA367A9FB4A5C4B2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:19.751{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260290815CF21651AD31960447DAF0FC,SHA256=0FE1C9809262D2A9914D113CB894A172C98925DC1385A9E95F2E20229DDB4767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:19.866{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48D1669792741F1466C83F2CB700415C,SHA256=1679F3A61AAB35295C958AD9C0AC7FA7AE60939CE626175186B5F35CA9D08A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:19.225{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C87756EF2567A13052C95083DFDDC81,SHA256=20A0D4851D6E1C8ED826407C47DC8332ACA09E3E279FFEA91A908ACA9CEDA21E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.904{3F28B219-3820-63EE-6305-00000000BA02}15086124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.855{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EC87BDE76E7F946FCE809BDCCFE19B,SHA256=598189F665D2EC544E158E3540225EAB9680120F8156F3F103D7F4430CE198FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.983{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.980{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.976{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.972{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.969{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.966{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.965{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.964{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.961{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.956{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.954{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.949{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.936{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.932{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.920{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.914{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.889{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.877{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.843{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.834{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.825{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.816{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.805{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.794{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.784{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.776{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.766{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.756{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 10341000x800000000000000087540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.752{A847701F-1281-63EE-1E00-00000000BB02}19762880C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012900610) 23542300x800000000000000087539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:20.304{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98F6844F0DD9864C8C6524BBB14EC31,SHA256=F67852D1B157701B3C0E4FC5B455C4706FF083DBAF8750FAB26D4DABCB49A559,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3820-63EE-6305-00000000BA02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3820-63EE-6305-00000000BA02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3820-63EE-6305-00000000BA02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:20.717{3F28B219-3820-63EE-6305-00000000BA02}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.971{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB0F5551A94C4F459EDE14FA3F88652,SHA256=CF5BF2010FB4FCC0EEBFC60B894D4211A99A615FDA3869A8DFCAE4A5B6848264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.947{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3821-63EE-6505-00000000BA02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.944{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.944{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.943{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.943{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.943{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3821-63EE-6505-00000000BA02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.943{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3821-63EE-6505-00000000BA02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.942{3F28B219-3821-63EE-6505-00000000BA02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:21.594{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3E18A5DA3D53675353B95704952DDA,SHA256=7D210DD68FE96A49BF622EFA53333D82CE7939E7C0E69A67B5AC02ABEE4888CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.826{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30EE9DBC6A23EF230FF1C47B199710F5,SHA256=EA991E23160B8F863D760293CC8CB7BCCFF449E793005AF2B55EE56C25B82CCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.325{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3821-63EE-6405-00000000BA02}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.325{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.325{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.325{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.325{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.325{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3821-63EE-6405-00000000BA02}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.325{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3821-63EE-6405-00000000BA02}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.326{3F28B219-3821-63EE-6405-00000000BA02}6600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.044{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F8DB6886A202C48AAF257B2D93A117EB,SHA256=D189A249946D88F85BB7EE8ABDE346C605CE645B62FFF0FD6DC34FEAA8B45421,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:18.150{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51577-false10.0.1.12-8000- 10341000x8000000000000000117951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3822-63EE-6605-00000000BA02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3822-63EE-6605-00000000BA02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3822-63EE-6605-00000000BA02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:22.976{3F28B219-3822-63EE-6605-00000000BA02}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000117943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:21.343{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64599-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000087571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:22.691{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5C92A35ACB87CE5DCDE41F218A2585,SHA256=8C3A4CD30A832DB6DB4E64952E42AE28F49DECC50E03D6AC24B4E98CEF70B8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:23.782{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4081E1EAA70A6E1A4019DA35F9FC8C8,SHA256=92F7DBC0B167CD32DB1B5160029891F42F4130B13A44CD6424E75D3CE6E63672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:23.205{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ECCB8AD0A1F7D6A4C94C0E8F2A941775,SHA256=A004BEB9F0194478C5C23893EEB751F1332A8E5708F48167FF138DC7F7E4BF54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:23.143{3F28B219-3822-63EE-6605-00000000BA02}19404572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000117952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:23.035{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CA54973A530251AFE09DBA3E55C395,SHA256=FCDE6106EFE669CC36028D0BCA7BF0E4B6E5313F716DFAA0EE39C08F3A170BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:24.862{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DBF6E5124ED068EB751C6ADE9842A8,SHA256=7328D108B3D8886A9208A3DFC98A94AF6A1BC90B6BBD54473206A2F5C7EC42BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.833{3F28B219-3824-63EE-6805-00000000BA02}69206976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000117974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:23.489{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64600-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000117973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:23.489{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64600-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000117972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.579{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3824-63EE-6805-00000000BA02}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.579{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.579{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.579{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.579{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.579{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3824-63EE-6805-00000000BA02}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.579{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3824-63EE-6805-00000000BA02}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.580{3F28B219-3824-63EE-6805-00000000BA02}6920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000117964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.282{3F28B219-3824-63EE-6705-00000000BA02}63882520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.082{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3824-63EE-6705-00000000BA02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.082{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.082{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3824-63EE-6705-00000000BA02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.082{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3824-63EE-6705-00000000BA02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.083{3F28B219-3824-63EE-6705-00000000BA02}6388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:24.004{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029A957443BE81C4D188FA1DEDE3AC55,SHA256=C9E5053AAFE8884166BD9C8C37E73BAFD71E52E4446DAAE8856820D32CDED6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:25.970{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF28C4FCEBB4EBE82F0868BE96A985AB,SHA256=2E27F04D3ADBD70227C4BFA720B66429FA2099B93E1AD6950C3DD7ACAF506AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:25.091{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D598F27AB40BB899751D54D9D9EFF607,SHA256=00D103E5D6743A4E2DD3A170DF29EA647DB289C653D119EE810B13742BBDC138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000117985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.775{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3826-63EE-6905-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.775{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.775{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.775{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.775{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000117980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.775{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3826-63EE-6905-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000117979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.775{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3826-63EE-6905-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000117978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.776{3F28B219-3826-63EE-6905-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000117977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.291{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAF6A37A477553A40507244C0001411,SHA256=9E63B5A56255E0B6C1628490FE354036EFE1241D0A90677CC24936C2FD682164,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:23.305{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51578-false10.0.1.12-8000- 354300x8000000000000000117988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:26.356{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64601-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000117987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:27.834{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C10BEE8AF6FF686B2A98533B5539A0,SHA256=E9354EAA43BCA3F5D172CE4B243DF89970CB017164A8425C63B12D8E972F08A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:27.415{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707E4F01F38F0F2DADA3D1008BBFE81A,SHA256=D7C33E860A8FFE86BAB08C043908950FD0DA04B97A729C6B9831717C04BF2A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:27.054{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB199DC4CEE3F5FA1157726BD6B8F8B0,SHA256=F3DC12E2C4A49D7FFF8B2948512385264BBB3E2833B4E2A57F15AF622334DCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000117989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:28.511{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7938C356D837F2FED5FCE7A43C67980B,SHA256=5CA2B141999E92881916475515EBCEB0B60FAEE02D22AA7685ECC6C042C0411B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:28.130{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC08651F8928DCA95468EEC2EBD7642,SHA256=0D6B2B2BA130CDD8D84829350E61DF34480894C5A0FD3A994A1D30E376B585EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.942{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000118015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.575{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956464DDABCA5884BD86FD872CBBF0D1,SHA256=BAAAB6829F4F9ADB39ED90373F51206C658A801D8EF9536B72F1763908B798C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:29.215{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E20FE2ECA5C103685687AC112821BF8,SHA256=2FD56B2B89A0D8BE0C96B3653CC6A5468D16E8827EF4A287FAC20B4344A2764D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.512{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.508{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.504{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.501{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.496{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.487{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.484{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.469{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.459{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.454{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.452{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.448{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.439{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.411{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.405{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.391{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.379{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.368{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.339{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.308{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.298{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.281{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.257{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.140{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000117990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:29.129{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000118017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:30.644{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98653B7CAC961FEE1DC936A2333CF9BD,SHA256=5304F39DEA53ED52192DDAE7A4E221F8B7021E4312113454F17AE90945E16A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:30.299{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD9FA46D54E213F0B8F692FD55D7E6C,SHA256=3AB12323562448B6904C2C0906C93A85D1FFE7C911E817DEB61AB3C979CF2DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:29.291{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51579-false10.0.1.12-8000- 23542300x800000000000000087580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:31.380{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1DEAE5BD0665027A53386923B64B91A,SHA256=F7070F8DEC5CC4AFD74ADA88C9DD731FB472E56DCDF7383E0E9519A9AF9B2FC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:31.962{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:31.961{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:31.960{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000118018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:31.729{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FC83FEE468C26057377D30E9765E3B,SHA256=DA623F061F85AD2D3E12EC372BC2C0C5C8B3C0A4C8F5B39F2075AE74742FCB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:32.477{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F4FA5C044C34A3D6F5E4DF121FFF89,SHA256=5D7C7DE0ACDA22D4DA4E35FB81141F04DF56D500A1104EFA33B1C9B712DAA89A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.820{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9796044C8BB687F7FEC58BEC273FCF94,SHA256=0BE2C2757211C125277C8B61208F5802012254D8E516E71BDC0D6FAB7E78A129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.607{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.601{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.581{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.579{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.579{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.577{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.554{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.554{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.516{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.507{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.496{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.490{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.488{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.484{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.481{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.479{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.477{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.474{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000087583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:33.556{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2174755EF9384907F08C75D589A01E39,SHA256=8C059EC951D95DD0601C3687772DDFAD95EBA19AB053BB36478FC92A673FA077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:33.914{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84F70EEA9972D285BF41F0F0924E8F6,SHA256=6C3BE59E4ACCF718707CB5F784559598DCD620F7FE7C4CDE24696C0445F05AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:34.641{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9FE379BE04F2C3C96C45B87B897D19,SHA256=6669A019ECDBB39FB3D69E096E7A1EE11C13C27BF6C272D6715DCB843B13118D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:32.383{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64602-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000087585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:35.736{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D313900114DB7963DAEACBF0BA1367FF,SHA256=FA450845070F166B63C4BBDA3FEC1CA5E1F2432EA1E9CB6645BBB4AAE60316F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:35.002{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141E1FE4744C3A3D330DA175C52C103B,SHA256=6816E7E6635D17D6D4C701434540793B08D18EEF01EFBE43B28B5A5A10E8F8CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:36.814{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120990BD07BBF364040EBE39C53A80D5,SHA256=51F29498828BD1631A0BC3852AA01D7CFA25D4EBEE671DE56FEFD1AC9CDA9039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:36.097{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CDB4FBA85FE63B67921CBDD400F7E6,SHA256=C3E89D26F97E0631E2F5F4EF27DA0FDDDDE886879EAE6EA657E495C658752F78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:34.336{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51580-false10.0.1.12-8000- 23542300x800000000000000087588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:37.898{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27C0EA301328EB0158F99D8CADBF93A,SHA256=639D1B5DF8CE5CE08E7E3C0B76579193330429CD1E26075982458FEBE2464DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:37.185{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEB738421E8C2E0E1BF294EEA031C5D,SHA256=58B62280CE52EC5D69E3F5FB2A17077E29051D2CBF9F989FA440A211D52516CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:38.988{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FE33EFA67E25537835BA579C82E837,SHA256=5E56AAD3638388191BA90B457E6CED672549B0C98EF024E94462C34D7AE3604A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:38.299{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F06ED4C5E24932BFA1F66C048504A5,SHA256=E31A8540BE53E3029DEE2679A5D2E39E4986E9B24C759EA8BCD67BAF08A43865,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:38.311{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64603-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:39.496{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3FC4148B96BA85AF6F40F357CAE724,SHA256=15CE9F24FF0E30745259F70D14B0B2617A771BA25CE4C8C1B7ACE9579E2F8CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:40.590{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F151D16351338FA14CA33E55BE5123,SHA256=B63DDBCB15ED334C48EA29E65A6AA09685D66A698B71F372E8FC1E2A9DC78E1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.913{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.911{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.909{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.906{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.905{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.903{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.902{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.901{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.899{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.896{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.895{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.892{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.883{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.881{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.874{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.872{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.852{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.845{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.821{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.813{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.802{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.788{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.781{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.774{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.768{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.762{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.756{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.749{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000087591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.746{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000087590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.081{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B889B9357D86A65AE479980F43852B5,SHA256=5B2269F5D8777C595E9BD92E74DA060098E5BB5D9F48B30FAF6FD3354942CAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:41.318{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302885E9C35DFF6E058F7623A0ECED91,SHA256=87D148D10EBF6AD4CC3C7C89D29C72B03D0BBE00A08615BD818299787EFB930F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:41.681{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478D0B177337B084BFB0C303431AC0E5,SHA256=BA1E0A435537ED23D2A7C5161C45895FB9993C84CF5361292CD72E90B8BE24E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:42.772{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982792C138BD32CFBE872C09B983F190,SHA256=10AA28DDECC6C1295A9ABECBC61817A471F033E147882CD23872C266B857CAC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:40.327{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51581-false10.0.1.12-8000- 23542300x800000000000000087622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:42.758{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB106D8BE837A1DC21509B8DB430AD8B,SHA256=8C2497476A80A7165933E4B0BF31CB19D237F90DD36D6C9B0E8F6F43C5F94844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:42.467{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E37D87EFF48A12268479E678F5FA1A5,SHA256=882A900E788F07305768FF17921E31C724B30195028CEA949AD9B87A9710EE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:43.861{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103A766DCE675EE22B3AAC97D48CCE0B,SHA256=3175597D3AE76B4D89781120E797D842EFDCAF56AA92F7679824A71DD9B325FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:43.553{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189324CFD097639A6A2C5CEB8D8B66BC,SHA256=5CA043B52E532E873104DF39055DAB12065ACEB13A11E2447169E05127EA0619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:44.958{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E7DEDCD5E82C498A739225F70554D6,SHA256=52541FEB9310A35243A9E1C29E42FD6CB339CE0BBB6A9B4B594861B219BA2ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:44.638{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D233B67994FA190F3693C9E71C8BCD56,SHA256=ADE0AE0A8862F6B3C362968799E6BB2641847C544150724B538992EC70874B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:45.738{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1D4B102B6FD00D2B5E753BBC474BB,SHA256=9B7B2F1A964D0EC9554468E95781DDBD76F32BBB00811E4645220D2AFD31341B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:46.829{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A8A9EBA50C4664D47DF80DEF3ADA55,SHA256=F3A69CA6577E372BCDCB4815218BEE5F58F11D74DC8B67C5437661A7A200EAF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:44.347{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64604-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:46.047{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F9CEDBECDBA8AB61D015C3F1F179B6,SHA256=4B369D760BB9655AAD6BB3403B01388A5218D7900C5BC9643A2B5AF24ACAA6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:47.917{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69DDB039B2D6DFFD30CDCC166705FA1,SHA256=DBB45A871A81639AB407659617505E441D934E6BA62D1B9A6BCB3516F5FDB254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:47.131{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629A87B3BCA0B4941FF760B9668C03B5,SHA256=AE6A9B81704C87DCE60D93C7484E1B81DBE80F29F028DA1222E064C4DCC3A29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:48.218{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA7F98CFD63968AC9E4F35FDAE9F4DD,SHA256=B376FBE840448268673DFC2975DFE688D945E56AB4732B1D4CC7B0AF17482939,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:46.350{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51582-false10.0.1.12-8000- 10341000x8000000000000000118083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.493{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.485{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.481{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.475{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.466{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.454{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.452{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.436{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.421{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.419{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.413{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.411{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.402{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.363{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.354{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.346{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.334{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.317{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.288{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.287{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EDF5E48D842EEB8B6A5A64BDE7A3DAD,SHA256=B81E0F74103B11B1B9CF82602532FC84F79D2F5EB461406CFF4175E726BE7BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.243{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.233{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x800000000000000087630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:49.009{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B263F0C6486E24D908291F3A452F19,SHA256=EAB13223031D9EEE5F9AE32E202E9730320EB2B08B368930AD360A78ED01A8C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.213{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.202{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.111{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:49.109{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:50.315{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9D7E6B23E542C1F7D2B7AB91D8ED63,SHA256=7BBF560974C4BD9CEE9F33DB373DF9EF08F9536820E9F1505E6E9983E4483FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:50.961{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=896D66827D9134AE24732B39404004AC,SHA256=C95F080BF9F359651A487B5C832F773A940A46B422040CCDB9AE277A9A6B4793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:50.105{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95844ED0D89DDB793113A13C21601AA8,SHA256=D6FE9EE702D5335B4804BD72C766DB33E06E8AC885B4F989F09DEE268EF11686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:50.101{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:51.405{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E037B39BC1C671F2FDEDF672768DBDD,SHA256=23EA9C8AF5421AA9B1F18CC34B6AB0ACA320B123EB25DA4851BCA29F18B91951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:51.191{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B47F3622FFB63A19E45E45AE928615,SHA256=02C9CDE2D0906B8127504C0D64EDC8E8EBFA4523B6E4509276C803FEBBA5D957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.767{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.763{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.754{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.743{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.714{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.704{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.688{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.678{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.676{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.673{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.670{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.667{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.666{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.663{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.505{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C785F95FDCAE46E928B11AC0286FC1BC,SHA256=8D9E1BE342D32F16854084E4FCEB4FD117D03C66EB561014EF07A214782AEA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:52.282{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F629E067A50F7D13FDC9F5AF223270,SHA256=B166015E95729CA1E9CE8B264D393BA353E4DD770C0D32DF902860DFE59A68D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.150{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.149{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 354300x8000000000000000118088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:50.208{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64605-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000118087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:52.148{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x800000000000000087634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:52.131{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-156MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:53.382{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7380D589B7CBFB57E9BDB092976E027,SHA256=652D73831EC385A38B56BA787C00CAFEEBB8243C29543CA4EAAD8C50C2256211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:53.594{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215430D8167CE8CDF2175E311DDFC319,SHA256=B2CFF18F4C5CA6DD6EEE940DB1BA04C446F976235FD082F4D3C090D86E44F67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:53.359{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A274BAE1C43D9F7FCE4650408B4C549B,SHA256=AFCB2D86C001A18D7EF8379CE149525FC1888463C0898415BCA1029657494CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:53.137{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:54.470{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9356859E64969A1DD188399B99BA331C,SHA256=9C46D79BBE9BE1F9107E962361BD9B5AA5922E298797ECDFF0E0FE248FBBB493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:54.792{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C05369CCC664E9750FA5F4AAFEE8B9F6,SHA256=28F3DB5B46391DB54B1079B55BF3115CC62B6E069BDD0E2D18023A2BB46B608C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:54.683{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441CD19FD21230F2D163E9B2C800E6A9,SHA256=8C7D8023B7397A0D489EBF8729D888AC6A6E9F6DA987C9CB4086669B4C46AC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:55.774{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E51107A17B011A3FD21B1D40A47092C,SHA256=2D99583C1B6D449D732123D53E8CD6EA87D2483C107BD90EA52B0D0CE3CF1606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:55.554{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEC1F84BFE6C6CA4A8313B8A182AE09,SHA256=32F6C83EAFF68D743F6CCA3BE9E43085CF742BBC4CF54A29D048A4F86AA5B7C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:52.253{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51583-false10.0.1.12-8000- 23542300x8000000000000000118112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:56.860{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB183ACD71E7A6C38DC97D6561D2B346,SHA256=137420FBF60FF36DF1BE7153E28459089A38F66442EACCDB1CCCF7608AAC8975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:56.644{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457088473CB513643983159A8772A465,SHA256=55B9C3D3111E59844282387AAA4A2320E8F6DC9A9193D9D585003995D6493BBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:55.403{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64606-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:57.951{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463C2D3885D60CFED74FECF9EA095CC2,SHA256=820410E7CEC56E187E829EE13D1A0B11D0D4A24BE857FD3D487C429290EF00FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:57.736{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0DC38E68F31356C3C2D537FBC0C32D,SHA256=034C5AD316FCFAE06F415A6161E2C2310880DF201C132FADCD246F4CCB1A0DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:58.831{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242575AE62DC35FA9E189907F5FA400F,SHA256=4DD3E7FBAC10F76A1D52565E5DCF0A67132CBE261736EEBB250CA01C9E8743CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:59.910{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F262C91A08C5CF320EB217141B73C3FC,SHA256=7B407C071BEE2FA265DFCDC522348FFF7FFC1F10815033686551EB51AA3F70C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:05:59.032{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C72BBB6448C7BC14FC26E1ADBC560C,SHA256=270A0B9F0B3CB86ACF2E9F71F9891D3926DA1236FEA6547CD7C036C801403FDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.998{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.995{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.992{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.989{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.988{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 23542300x800000000000000087671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.985{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DCCC2431B0A2A2C79CEF875A51D794,SHA256=68A0CBE18F473A58FEC7F142E087A8CE8C7491B2930319FD8CA978BDC9917D9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.982{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.979{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.977{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.975{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.968{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.967{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.963{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 354300x800000000000000087663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:58.151{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51584-false10.0.1.12-8000- 10341000x800000000000000087662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.952{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.947{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.934{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.931{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 23542300x8000000000000000118115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:00.088{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC71F20F3B4B11BC852B207C8F9950D,SHA256=D0E3609DF7305B71604B7D6CB5C732E3FAE27904BF281D87CFF944F56FA94C87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.908{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.897{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.864{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.851{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.840{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.831{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.822{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.814{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 23542300x800000000000000087650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.806{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.798{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.790{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.774{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.764{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:00.759{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 354300x800000000000000087677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:05:59.905{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51585-false10.0.1.12-8089- 23542300x8000000000000000118116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:01.168{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAADEF37DD3F051059969F3BCFE45988,SHA256=F7990B0B92689CEFCAA74D8F21C705EE9D07E79949678557308A3FCA7AF2273B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000118122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:06:02.258{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x8000000000000000118121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:06:02.258{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9C56FEC4-DF75-4A6A-8202-93F7FB933FAC\Config SourceDWORD (0x00000001) 13241300x8000000000000000118120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:06:02.258{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9C56FEC4-DF75-4A6A-8202-93F7FB933FAC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9C56FEC4-DF75-4A6A-8202-93F7FB933FAC.XML 23542300x8000000000000000118119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:02.258{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968E8BFCE162D83D216C025D3CCF1B01,SHA256=7B2544382ACF11F6C8604DB93282374F654FF5BA775C0667BE3A00D3DA8146EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:02.242{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:02.242{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:02.070{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758A38E0014C1219A41ABF891CF08A67,SHA256=64337936DE7E4BB1C5ECBE8ACDCA8D79D28C437B715165410307A3E365EF26F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.939{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.939{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.939{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:02.428{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local57481-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000118130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:02.428{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local62449-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local53domain 354300x8000000000000000118129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:02.403{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64608-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 354300x8000000000000000118128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:02.403{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64608-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 354300x8000000000000000118127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:01.264{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64607-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.329{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DC20BFE583B9C2F5E6DA6EE74964F0,SHA256=B609BF1764FA1837857D0675D8870C7629D9CA21D3CDC55174C463173530DE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:03.146{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368FC5135CEE628A5492654705D3ACBE,SHA256=7E0C0C1246B077C2A084817587C6CC7ADACDE70702E617D2712C94794F3C8694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.096{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.096{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.096{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.255{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64609-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000118139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:03.255{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64609-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x8000000000000000118138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:04.408{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDCB09498C432505DBC06DE7259836B,SHA256=545B9A081511C5C327B9482CE1EBAEF801660F1B276A08904CBEF3422FFB721C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:04.235{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649380D6450C4C3AE5A75984072E0D96,SHA256=5A8CCACC51017F1622FADB62D8625B854335D2491C62E9D20795935EE4DF40DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:04.267{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=724D7A44A3AD98CE6DCC0DE34A7EFD80,SHA256=8690ECFE6ED9EA3D223F73E5A9EACF8FD046FC71CA41C8DA2256706801B5F2FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:04.111{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:04.111{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:05.502{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D1281C7439A79FEDAB04E0C7E7B774,SHA256=55150F305151D4DF0DD7D9B04E50898C19703DFF3B7A810EC2C45066C49A07B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:05.324{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180FBA8D66911A28B4E1F77E5D2A2760,SHA256=FD906533FBDBBC0B1202AF2C324207F2C5C1F81F5AABE4BAD0458ACC3EA995C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:04.098{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64610-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000118141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:04.098{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64610-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x8000000000000000118144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:06.589{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92C457648DA52056BE8411D2A642BBF,SHA256=23EADC78350ED3323708F8D21220D3CD913698A9FBA3D009CB168203E42AB623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:06.412{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB1C7DDFA7B171D46BB911B1FBAD9B5,SHA256=092BD2F4AD946EC49313F0130139FE4A53AA995811A1D24D9EC900C2BE94F91B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:03.338{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51586-false10.0.1.12-8000- 23542300x8000000000000000118146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:07.616{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFD9F94A1A4FDBD8E6B2432BFEE4197,SHA256=41D7259E1A7F654ACD106F2C8FCB53A845CE81E5B0659CD4D277670026280CA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:07.688{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:07.503{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86AE6D46A1234CB68060C8E0A74F0216,SHA256=B987FDDD55D10A8414A6198C4ECA8F267B70DC7A2658A0E89C646E8978305D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:07.558{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-156MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:07.294{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64611-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:08.717{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A266F9AF459E475EA07B4E9B3C9B0D5E,SHA256=6FE84D707C4924F4B3FDCA86ED992B96AEA3657C28E7CA48997DE51D93105100,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:08.705{A847701F-127F-63EE-0D00-00000000BB02}7843956C:\Windows\system32\svchost.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:08.564{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3211B31680B15BF9F094F41FD5B9C08,SHA256=A008B70FD007B33DF33C49D653579DAB280C35274F0BF736EC0D6D45BB81E714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:08.567{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-157MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.771{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983C457104FC731EC6C87EBA28DF6A30,SHA256=93C5B971B758E8B26622E2DCD4A110D73E32ED4FCA532C32DCDEA5CBC526DC77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:09.766{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171511D6740343CC683765DC009CDA2C,SHA256=5FB25A17D616B7593B9A580016F0C5F0FE126680AAA89B3CA63546F78025B048,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.411{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.409{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.398{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.387{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.378{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.374{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.362{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.354{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.348{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.345{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.343{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.337{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.322{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.316{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.309{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.298{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.287{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.275{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.235{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.228{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.218{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.209{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.139{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:09.134{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:10.848{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC33278990B9F0024DCE4F0D3AE6E61,SHA256=310B892F254028A50455ACA8444FC5708C6C537F2F50C156A28265F9BC706519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.857{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AD7828D4DC56F8ED805EA19401AB93,SHA256=12CD232A3CCE37D1FF9D64EECDBFDF4E619C94F06FA1769DA10655E72FDFD772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:10.740{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:10.071{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x800000000000000087701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3852-63EE-F604-00000000BB02}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3852-63EE-F604-00000000BB02}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3852-63EE-F604-00000000BB02}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:10.732{A847701F-3852-63EE-F604-00000000BB02}912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:11.936{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28F7754AD8D40C4E872DCDF748C6D8B,SHA256=944D25AC52BF01AF72A0DE1B4102E19F2F5126BEA71CD9DB413C88C587A5BDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.975{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06352D8095786AE2D41FA426777DFAA9,SHA256=DB4D312D3F4874F0D55742A18B823C608FA9F3C9BEDF772B44B3329C75942B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.852{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63C1551E479E938D9201600106998C32,SHA256=4F1A2C0A3D154031F48837B226B983DB99018908E7C8D27E5DE7C2220447AF4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.602{A847701F-3853-63EE-F704-00000000BB02}3722392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.492{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.492{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.492{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.492{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.492{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000087717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.492{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 23542300x800000000000000087716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.474{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D2864AC78CDCA3CFA78EEBD781C650B0,SHA256=85883DB485434591E7FD505B63CEAF6FB9C778F46FCE1C67855046AFA8C6697D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.402{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:11.403{A847701F-3853-63EE-F704-00000000BB02}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.759{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.755{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.745{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.733{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.694{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.685{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.665{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.656{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.654{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.648{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.645{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.641{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.639{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.636{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.124{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.122{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:12.121{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 354300x8000000000000000118180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:10.884{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64612-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000087727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:12.963{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2384A4EBF122F7F2EE68D1546FF73F87,SHA256=59DDC073C6037FCFCC06B99E9C581AEC44471F3D587E9CDFBA981367536BCAD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:09.304{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51587-false10.0.1.12-8000- 23542300x8000000000000000118198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:13.011{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661DF40582FF5472CC16B60684FE7B99,SHA256=1DFDBC7979E5F70E5A95B70267CE168525CA18AFB2B8EF8A14F238717F37BB8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3855-63EE-F804-00000000BB02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3855-63EE-F804-00000000BB02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.560{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3855-63EE-F804-00000000BB02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.561{A847701F-3855-63EE-F804-00000000BB02}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:13.069{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5728C56C9258FF98A771F522F083C2B4,SHA256=91E78793594A3674A2F5391D2896147B63EF9AA90496BB23FE3B2F0CC817A1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:14.093{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B0D8983F621F22C87B2F760C2D9086,SHA256=F75705A660B9349D0EFC00AC600B7AC6D8C384AD06F4934F1D8E484AE5353150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.849{A847701F-3856-63EE-F904-00000000BB02}22803872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3856-63EE-F904-00000000BB02}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3856-63EE-F904-00000000BB02}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.630{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3856-63EE-F904-00000000BB02}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.631{A847701F-3856-63EE-F904-00000000BB02}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:14.151{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C916071E4656D5088682A699C95CCAD4,SHA256=0EB313EED66E80347EA6479F528AF14131041405710A77895FE9395AAE227EE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:15.186{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E1E4B8B668F575BEA123593D6CDF46,SHA256=E72D32958955B6069F0C73DFB5F207C3474016ECAFCF83AEA25B3ECB118BD347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3857-63EE-FB04-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3857-63EE-FB04-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.861{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3857-63EE-FB04-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.863{A847701F-3857-63EE-FB04-00000000BB02}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000087771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.438{A847701F-3857-63EE-FA04-00000000BB02}18642328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3857-63EE-FA04-00000000BB02}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3857-63EE-FA04-00000000BB02}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.253{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3857-63EE-FA04-00000000BB02}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.255{A847701F-3857-63EE-FA04-00000000BB02}1864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.237{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A77A35B622D1A36FADB6B30632624F,SHA256=56DB2F388445AE59FB97B45B983A0BFA064D8E9645F0F47C7C1138D290D979A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:13.173{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64613-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:16.279{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D169ABB92F3DFB3816428F60DDF9B9F9,SHA256=9F719076CDB2017A9EA6976B71117371211A5E7155D7DCE3EDAF3518022B80D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:16.948{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C0C09905F9C48D168B2F022315D009F,SHA256=7398DC1FEF7FED7763B473E56A39533B2EEE0D811C1274AA9C48570851A030FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:16.456{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DD89269F8AB946026F8D44A4791FE6,SHA256=5F54D6933208F9417ED2E1D85E48A579912DB818CB11C2261EA84FB3D17351DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:16.094{A847701F-3857-63EE-FB04-00000000BB02}4084696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:17.362{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFC6FF9128B9BD9D161B27556FAA244,SHA256=A26049BF0A2961AEBEA53E42BA78D9A0D1989FE1D5059F554AC1DD75FE8ACE9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:17.507{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B95965B141BF74C9D8B211AAA73CC1,SHA256=C6B6EC219DB3084E533A37B08BE107DBECFBE7F05B35FB08DBFA9523A7B2CDE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-385A-63EE-FC04-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-385A-63EE-FC04-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.711{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-385A-63EE-FC04-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.712{A847701F-385A-63EE-FC04-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:18.586{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21C009C47FE40F077C2072CC675C4EB,SHA256=0A227E8515DCA8E1EADC8ADCA09AE7D7B0660DF9A391DF89245C9BC06AA91842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:18.440{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BC1A5352810FC766D080D3B5E4238C,SHA256=E4C2A4270D5D3C02A6F0C977A6078F2C2E8239A2965AC8EB5EBA135EE6078FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:15.197{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51588-false10.0.1.12-8000- 23542300x800000000000000087804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:19.670{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA570ABEDFDC0E078412E7809B545E4,SHA256=20FF0C456ADD670EB0CE1D8C68A52112A834224C30F077703F869A80A0F44A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:19.511{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54498A0013D9A434A2C232E1F41FABC,SHA256=628682BEDF5AE607835115CF60E28F625334DAF7EDA00341DB1FC58236A929B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:17.447{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local138netbios-dgm 354300x8000000000000000118205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:17.446{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x800000000000000087834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.949{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.946{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.942{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.940{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.938{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.935{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.932{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.930{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.928{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.924{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.922{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.915{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.906{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.902{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.890{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.887{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.872{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.865{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.832{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.824{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.814{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.802{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.792{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.786{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.776{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.765{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.756{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 23542300x800000000000000087807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.751{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8553BB770EE67198D1CC442CAD0688,SHA256=85C62BABB9F1FB4EDEAD421798CD351B4ADA076611475D2565E3E670DF6B5653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.745{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000087805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.742{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x8000000000000000118217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.657{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-385C-63EE-6A05-00000000BA02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.657{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.657{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.657{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.657{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.657{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-385C-63EE-6A05-00000000BA02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.657{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-385C-63EE-6A05-00000000BA02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.659{3F28B219-385C-63EE-6A05-00000000BA02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:20.595{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D59103C22942119A2481D6B4423AF5,SHA256=CD0E7AF2C58D608CEB92B743FF3B348D54886502C71881D7810ECD0E7ACB016D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:18.380{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64614-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000118236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.831{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-385D-63EE-6C05-00000000BA02}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.831{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.831{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.831{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.831{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.831{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-385D-63EE-6C05-00000000BA02}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.831{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-385D-63EE-6C05-00000000BA02}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.832{3F28B219-385D-63EE-6C05-00000000BA02}2208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.693{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AC1E1ECD7686D7DE4D9059CFBF847E,SHA256=843AE809666BD3E8753FD58C2A7F0D650964AD8F3DED69092BF363E347D145B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.693{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AE294C613719F4D88C9D021DEBF9D77,SHA256=41B9905CA9A88BA1DA0671FAFBD5120F429EA961FD2417200E01669C29E35367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.267{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B6367BC6F5E682E150D7B22C117EE4D6,SHA256=BE033797A641FEF941697D6D81AB1ABB0B96210C866BBC6B372AC531BCEC1947,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.164{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-385D-63EE-6B05-00000000BA02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.161{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.160{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.160{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.160{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.160{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-385D-63EE-6B05-00000000BA02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.160{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-385D-63EE-6B05-00000000BA02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:21.160{3F28B219-385D-63EE-6B05-00000000BA02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.903{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-385E-63EE-6D05-00000000BA02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.903{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.903{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.903{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.903{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.903{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-385E-63EE-6D05-00000000BA02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.903{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-385E-63EE-6D05-00000000BA02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.904{3F28B219-385E-63EE-6D05-00000000BA02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.796{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=998A36B443E9023BFF3A60E5E38309C5,SHA256=42C1CDC73DF13F8793D6F8713D4402291FEBFADE002F0196C675B41C5D8CBCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:22.158{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD58D7E4CD9F6BA5B1B5DDF4B8B208FA,SHA256=D4CE6394668FCF46AD7EE4FA37D74A52ED8210AC881F49F9EA72F2266F63866D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:22.030{3F28B219-385D-63EE-6C05-00000000BA02}22087080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:23.900{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D087D29A98689681E5DD874719EC917,SHA256=793A1BDC311046FAD67A6F18EE40A28A39D7DEFBDC4C666AEA6DE16DBF947B99,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:20.214{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51589-false10.0.1.12-8000- 23542300x800000000000000087836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:23.261{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7DBA766B46C8E82F0B638A0FAC8C16,SHA256=B668FD7A9A088AE0F889F753B3CE0096DC8470C773E2E72CE7987EB4B7D432A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:23.498{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=40441A304F27301BDAC8EA52BBC5850B,SHA256=3D74BF6413199AFA71D32DEDBCF39760AFB832FD0F0BBDDBDDD5D8D4BFC6EF20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:23.154{3F28B219-385E-63EE-6D05-00000000BA02}66763860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.987{3F28B219-3860-63EE-6F05-00000000BA02}70001400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.971{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3881EF7D59EBFD095B0A2177D4B22B,SHA256=0032F378750EA97B67F0F35AA78965BC54CAF130B56B2096A51D3841D132E746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:24.352{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25467560873B5132A45CDEBF8AFD5DA2,SHA256=510EEC7D6E7692D1151AA6727460B9B06B0009E590A3CB9372E45F8E383CF227,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.765{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3860-63EE-6F05-00000000BA02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.760{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.760{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.760{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.759{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.759{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3860-63EE-6F05-00000000BA02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.759{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3860-63EE-6F05-00000000BA02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.759{3F28B219-3860-63EE-6F05-00000000BA02}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.324{3F28B219-3860-63EE-6E05-00000000BA02}24446904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.088{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3860-63EE-6E05-00000000BA02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.088{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.088{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.088{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.088{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.088{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3860-63EE-6E05-00000000BA02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.088{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3860-63EE-6E05-00000000BA02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.089{3F28B219-3860-63EE-6E05-00000000BA02}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:25.440{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117A0D98BB12A9723EBD6BE5E97F251C,SHA256=F922125F8BD4A736EEA9A26EA1C113002F35E94923F720BA63C0C95F233E3FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:23.502{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64615-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000118269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:23.502{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64615-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x800000000000000087840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:26.525{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061E52A6D79C640114541683471AB4FA,SHA256=10C9E5AC5592EFA06FA82025C9B489EA460B6A524858BD69315BD38E4D3BE9B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.772{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3862-63EE-7005-00000000BA02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.770{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.770{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.770{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.770{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3862-63EE-7005-00000000BA02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.770{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.769{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3862-63EE-7005-00000000BA02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.769{3F28B219-3862-63EE-7005-00000000BA02}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:24.200{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64616-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:26.063{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D389B30515345DC9962B5D6DF085F384,SHA256=C8DA5D6F12639B8B5AD5AAFBAF9ABD64BA02FF9B5F645E935AFCB884237FD246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:27.610{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC06D6CBB30B3A248A37399B8B8B5E4,SHA256=C908C062577615E413F257126B9E1FC57C95EC396040E12FDDBD82F317DD8A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:27.864{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02A116F4D2F186AA3BC8BEE698110C05,SHA256=F3913B8E966835FF8C94D06BA956A52230349029BB49BD141307D49F432FB364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:27.171{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF2949428E3B1983A1D8018BC9E3425,SHA256=2A4B1CA082B001F9764EFD606926E38268A7E714467D2EC52C786E3B4F16DF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:28.716{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006EEFAAABD59C971E85D3F15945EE09,SHA256=8014EC35F70C165E7E8AB4C8C03EB643DAEC38B8172808AF955FDAC32AD697B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:28.252{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D198158D27A4C5BBFE83E9D8511238D6,SHA256=E1CBA06974F9109B759817E77875C2BAEC1E6278681842F78FD5A8511A962600,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:26.198{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51590-false10.0.1.12-8000- 23542300x800000000000000087844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:29.808{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF79A3DEFE54B36B2FF1E406EA3E94D0,SHA256=CC7A889E33550331D0B5623AA6C5FA578D8623C7FB14F7B711092723F779A82E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.630{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.626{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.623{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.613{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.595{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.570{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.563{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.541{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.531{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.527{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.525{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.523{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.516{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.491{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.463{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.446{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.437{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.422{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.406{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.353{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000118289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.337{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7A98DBFDE32C393644C81B0D67B463,SHA256=626A5ECF684B5D2333BF3EC4155C3D7D11BCDBB916727EB3735363C480462282,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.336{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.316{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.297{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.189{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.170{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x800000000000000087845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:30.903{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C94CBDA2F5DDCF535FB29FC1CF0C23,SHA256=5D3EA2B9187D190F2AB139B3BDA521432FBDCA2E14999BFD403F4DCBF0A67319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:30.373{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D87FD1A1C7C1D434A45A0AF21CB59B,SHA256=886B24E91C5E748CEA4E405FE83BC64A2C49DD2F18AA42D479702FE2500D5D59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:30.082{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x800000000000000087846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:31.990{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7CC34A8C4AADC65AD85A5FE5CA320B,SHA256=7F7F281B713E86BAC189A5AABBCE2720463618A4B9BF786BCFDB2074037CB447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:31.463{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6662C06FCCF5E9A3675DF4A736237362,SHA256=DD7896E64F80ABC802FE807126A852B56242BF34B930B21CFB588B911149296A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:29.238{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64617-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000118332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.752{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.746{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.735{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.714{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.676{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.664{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.650{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.644{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.642{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.638{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.636{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.633{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.632{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.629{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.552{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.539{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D35531D7651B8836BCB71579AF50056,SHA256=3B5E3A38AEA11FEADD770C300F659DF1C315C4B8BA5B8A40EF840B6F0EE79C72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.110{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.108{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:32.107{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000118333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:33.610{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EC06E69F93D629DF3D4852B2C38FD9,SHA256=8BD0431C16F70A40FE14BF54139F700FF147EA5101EB90E68765BCFD1022D5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:33.084{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176679847037C21BC4DBB66FA4E10528,SHA256=7CD477C23BC0C16902D4C1FCECFB2E8BD35C07DEC30D1F2C7F15E9D480C3252A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:34.710{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698C5823C29AE01E46BC849E87BD1A86,SHA256=82C192C5DCF7BF42D33EC495195F9841FF888720A6F3D06BFA25D498C928EF76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:32.170{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51591-false10.0.1.12-8000- 23542300x800000000000000087848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:34.158{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83ECF6FFBF56D157A320F8FA4BD84ED7,SHA256=DF71DF259850D09361D79C1D3958DA374D30FFEC39DD6861CF334B59F6D4B2FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:35.804{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6A4C266B71621F3AE05FDCB08CAF36,SHA256=173807B0BCE9150BE8F1F8E2DB8463E965C9DBEB3B7491F33D9B789209AB685F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:35.241{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA835147A04465AAC388C500A89FCE0,SHA256=665618D5806A0DAE3F17587F4CB4146F6EBB844117EEC46C425C01DF07D4C4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:36.892{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D33632802D25E7D0E3B5D2D39CB21B38,SHA256=187F19320FC3CE9C08433F5605679D2F51395941047D1756228A806E4FA58E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:36.313{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7602F4D2FB9C67DA2CE66F9B2E561D01,SHA256=474F62AACA6526BD36F341520CE5C6056CF423BEA3A4AA257A3B36BFCE822665,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:34.282{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64618-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:37.978{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A522081D44C330D80A3790A9FF5BC0F8,SHA256=06AC77EDABA2BDD1B9CAB066AFB08B20265C58E1F7761484F02DA201F98DCE93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:37.409{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7DAAA7156F2076F585B7C4820A5265,SHA256=D0D474F94B74D328D027F49598AE79514645D659DFE8E8D1E484BEEF1BE47F0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:38.505{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1B5F7434FCE236D99020626E48B55F,SHA256=4541BC47DE4A748E07FBC37D41E721701136B05E81F0F33FEA833E8ADF713DAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:37.296{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51592-false10.0.1.12-8000- 23542300x800000000000000087854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:39.590{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80F33B29DF05DA20DB3DE1CA649B564,SHA256=F0F6A4CE4EE79926ED22F84C537BC697B30ECD4660C62FEB5FB203E9F93DBEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:39.079{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562A51531005C62B12A4BC09325E4F88,SHA256=CF7F193DA03BB30B11FA0744468D538EA90E51618F2F64E14CEC7ED731E3928D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.993{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.990{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.977{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.975{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.960{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.946{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.891{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.881{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.863{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.847{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.832{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.823{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.802{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.787{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.777{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.765{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.761{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000087856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:40.697{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1F5DFCEA4059EB5B63D2DA87CC547F,SHA256=6D66A72EF1CF870053EE8964C12857CF035F3E0816AB55A45E084178580A64C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:39.285{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64619-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:40.174{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35C22A09D69387D84A5C0CC3E24FEBE,SHA256=80B0F9F2F65B1FDD05C88CE67253FEB548025A9CB68D7B2B7C5AF98A74D6E203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.946{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054A0A56FFA3554220709987FBE1AB89,SHA256=987063AC8DE67394091ADAAAE1765EE0137E11ABD65D4A04E59AF4BA0D12DFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:41.270{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D5B0E2CB79D493D6E5AC7F31EFE44E,SHA256=AC055B6ACE39C34C4997B7BF881BD267D636C245A3C0A6B1D6015938124BCB55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.034{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.032{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.030{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.028{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.027{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.024{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.024{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.023{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.021{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.016{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.014{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000087874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:41.012{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000087887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:42.980{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECA022E13ABABE45926B79237885785,SHA256=A57A9187369F16FA3DAD17A779996DD46FA70749A75CD3716787958D303E5537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:42.358{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB007FA8F9A3A9D4B94320B7D97EED6,SHA256=3CE3212666413BF6EF0CEB01F58E0F7956EF43A398A973BFA3F64226F0A6D7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:43.438{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398B66936B338EECD2283E0C542B6E78,SHA256=D710438B7ECDE6A25228C4CF14D91D043B7BA951F2E1DAD868DB9E8FE9B32BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:43.277{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=91F528A52A931D6B9F5B885C66823833,SHA256=985F052792E624BFA43CF4D4ED84763216E595D0D083BF06749AE7DDF4A6BBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:44.520{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23067763B465BE50448412EE22873E56,SHA256=AB24A42C276A1C96FC90A046BB466F2326F7F527D2D8316B4CED9DD0846212B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:44.087{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCAEAC57D2DE257F7443CEBB27298F4,SHA256=A547368EB11AC2167F85039D7254C2EBC3D0F505F42B3BA63170C69A68A5C296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:45.611{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B48BFDE511EF4384D20246C235B5D8,SHA256=4318A962EBC579C32C66263956884A20059A41F236A4F5A337B0A37C71F17C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:43.285{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51593-false10.0.1.12-8000- 23542300x800000000000000087890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:45.179{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F909B5D11D7809AABA02CC41FD72461,SHA256=3C2ABE872805EB9C4A990BDB18932CE0F348D0531EF460D224DA1B92DD2244D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:45.270{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64620-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:46.698{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E45C4030B0E21D1CCFB94247CB57C7B,SHA256=70716189DC2EC9468C65643F13C87C8D40F1970D962ED5DCA11CA0673D23CAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:46.269{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67B65C413531D4A37CCCD5A62B8D40CD,SHA256=8A1661B279F2AD1840FAB9CB9291A24B6D24CFB88EE233B42B953021736B44F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:47.784{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12CD018A1757AB48CC6DCEC5966ED34,SHA256=ABD8B6742DA0D744FCBD6362B98FA74A3610F3058A0E888B51708248064E1B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:47.366{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798E04B35D851DA8A1CADF6370B6F194,SHA256=A3F1EE6395919D5335C90AE58C25A67BB95E26C5B61519B4F32B9C2F1ED53007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:48.860{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6A9DE6E60464B3054571BF20D9EBA9,SHA256=6030C80951F03C0BC28148FAA46826208C8442B9D7A9983EE2563807E9AAD23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:48.445{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C71BC32F6B115D0FEC8F6B56E0063B7,SHA256=096D378F813776417001EE76563A5713CBA48AAA8CCD600E01247E25E23ACB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.907{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CAD3414275828081EF71DBCE012FC7,SHA256=FE025768F42795DC76481E6CF9C3EE9320B2536B94BE99D030181BA822EFCEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:49.540{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EDA436BFB1C2EB7AA8BD166992B3F2,SHA256=47DCD8B4FFF7F9D60B0AD2FBC12C1B38CFA5AB306035F3E091CA7A5D5977B6E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.844{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.357{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.353{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.351{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.346{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.341{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.335{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.332{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.313{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.305{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.301{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.299{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.296{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.290{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.274{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.268{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.263{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.253{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.245{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.228{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.191{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.183{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.170{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.160{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.111{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:49.109{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000118378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:50.988{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F6F2B469B9E4C84A351EBDF354E32C,SHA256=249F946E5F72E47EAAE8E1E0C22BEEB59D5385DB43F7E3F227C514336B49149E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:50.968{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AC60FB3AA16DE02863ACD4F6526A3417,SHA256=861FE04176247348842FBFEC4C09B4B07E1CF2EAFEA210240DED2CAB5FBEB04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:50.736{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B17169E944970D36A33675E831564FE,SHA256=91D33A56F7F6A8AF0BD04230405D74EE2DDA5A812D751F31853259D27C06DEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:51.822{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01CA1556FB4FE72D3E231B30A26B325,SHA256=1BF18F5ED2AC141C115402ED7B92871713E4B523EEF8ADC73CD6EFC8D8CD5CB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:51.890{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:51.889{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:51.888{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 354300x800000000000000087898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:48.315{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51594-false10.0.1.12-8000- 23542300x800000000000000087900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:52.905{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B05762D0EA01A213ACC5E48DCF6938,SHA256=505424A8920391F41897EDBF002FF2F8CEAFB5CACC221BBBDBA5423DBF93BFA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.523{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.519{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.497{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.487{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.444{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.437{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.423{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.417{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.416{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.410{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.405{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000118383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.401{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000118382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:52.071{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FBAF29D368E5FCB44F9FF8623ECEC6,SHA256=2B683DACE7C7EF62A0D2754BE517049098415BE52DC8C68AEE07722D416964EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:53.981{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9266F620164EA4C1D7E7B5B514BDB82,SHA256=B96E361B71F62591F4F7BAB09294A6AE6AA0A20C0D1FA8CC62B84B85047C179E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.659{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DD27E672730BFE0013E82865EB64609A,SHA256=BA9D999405D7AC244C4F79D75522BA3C68D544CCD2E8BBA8F1F434CACCEC1A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.549{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:53.145{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E630CDBE4295DFAD8C2132757143AE67,SHA256=3810D47E7BC9217A4C459386CF6236DC38DC7CF481ABBD71AEB3ACC830FCE761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:53.663{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-157MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:51.225{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64621-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:54.793{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A261AC786EC9CFD4660CD9E824C548E2,SHA256=85C041C1AB4B144B5FC0E49F764A19631A5705CD7BA41C780D67A73134524472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:54.527{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF6ABEC43ADEFEF6C075E6C7FAD215FD,SHA256=6EFCD107FB66A4119FB2CBA31DF75E8D89BF4882FF4A3D3EAB853156C27E96A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:54.664{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:55.567{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE6072B00C434C7B34F2F870881B6E9,SHA256=DCA2D76E810E9963574EF08DC15ED3BA1864733E69781AB758AD83DB42E53B86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:55.574{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:55.573{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:55.573{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:55.061{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D8C38461F18EA393AB76543DB72E36,SHA256=9134B2706AC8121898F60E316D565C79D8C795D0F0A4F0E1FDBF6284FE24499F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:56.656{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC7E16710E0FE008E076ED947FC7EC5,SHA256=F23C51240EC1BBB8E8F032583CF34DDC326C302C4F9C1F7A954F7557D1EC92FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:53.319{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51595-false10.0.1.12-8000- 23542300x800000000000000087908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:56.148{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AD192AF9F77C0E3C05D763715DF51,SHA256=94F32A5D20B8CE0874232CCF9240C6E25A42426E14EECC56CD16BDFFA0D22920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:57.739{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CEB70549344E1AEDA9F818FBBD0097,SHA256=6CACA5866C2E00C5592A473EA7CA3F96809A1A0562CB113599747B642BC65884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:57.240{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B32FC9DB84105D55A5A27BFE4A72B5,SHA256=D994542037DBEB40A03C9FFBC00AC4B8FD387ED55522E370E8B69BEFB4510873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:58.829{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F05DFDAE0522F81F09A9073BDCCA33,SHA256=C2360904FA3E92CF22069406F21E73564DAB1B7BFB0886A6606D7301968F3525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:58.332{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9CCF2F2DA911542345A8A228DB19AE,SHA256=F2D7F71CFF396AEF7392D6B852CCA388A447BDE6B52CB580A1AD03E7F1242758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:59.901{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563FD05EA51D9B8300853A2CBFEC3A8A,SHA256=FB61A56D1947D441CCC69FDE4C26BC9D4C564B2CE817C24FB5D1D80728C7192E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:59.415{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F01F751DBFCA42E0244C08C36E49A0,SHA256=3F3A0282E1EAD94AD98D843F08AFE3FED7090040148F2851795B66E5E3A4AC29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:06:57.207{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64622-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:00.963{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BD612768B5C0AD46D83B3C63C5F2DC,SHA256=4509786F4B77C0F508F36D49B499139C20E25AFE2621BC4E7AF29C9BCA2304B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.987{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.980{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.976{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.961{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.954{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.952{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.951{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.940{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.939{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.936{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.935{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.925{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.911{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.909{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.895{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.893{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.882{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.876{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.859{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.854{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.848{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.843{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.836{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000087920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.827{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.823{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.814{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.799{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.787{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.778{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000087914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.778{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000087913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:00.491{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82213B8253143FEA84F6504EB475592,SHA256=9195A1719BD3736595484CA70583D9E1085BC3807341007ADD4A7F8E1DB65C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:01.629{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7017C1A0B7255802E3C6F77C3DE1AB7D,SHA256=2F956155177066AD8165EF808963490921486E2419D247BEAE20956645AE8EBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:58.347{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51596-false10.0.1.12-8000- 23542300x800000000000000087947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:02.662{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097D6111052EA4CF18C9E345FAF6E883,SHA256=018FF01472B1AA793303FB9D5FECA02895CF907CDEC206453ACDA915E337258F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:02.052{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6F1C2AFF92457BA8B016233ED8437A,SHA256=4F2DAD100A82B9EB1C1F407C2348F36A635AFBF85977889EF4DDDB70BDFFF65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:06:59.913{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51597-false10.0.1.12-8089- 23542300x800000000000000087948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:03.754{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A030DE45905837215E61ECD5F1647A7,SHA256=832D619FA905515650B3C496F4076C38ACF7C5369B5A1236E51539723F5F841B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:03.249{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFABBE3E8B1D0C6AF50C6567D6DF3E3,SHA256=B7846A3013DF753BB5786315B1CA936DAD8B0FEC999CA98B1A10BF7A1CC11C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:04.843{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847EA77B034B7DA76513E4644F6A4242,SHA256=A264F081683887B84F895034C8D1C0B5EBA7FD831427D32D1A004C1328A5E667,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:02.258{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64623-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:04.337{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9491CABA4EFB322B6B8A633FE3FE4565,SHA256=AFBE098A7F3868AB6AF142CFF9FE4B302BA722F782ED54340AC3B8076E350E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:05.922{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFB51583DB56D030E4AA831B6B8494B,SHA256=97401AB83E8174F2436E93DDAFD9ECE4DC2BF42E172A511BD181DBD82C7235E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:05.431{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD38BD480DA526C7E466E6D948033DE8,SHA256=52B20C3EF4A041B3AD2346A741A0FDBEB9F0CB1F7D4314EC8BB619B690218EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:06.996{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0EED5BED9A2012726BECDC05EB9611,SHA256=259B831A2E8E524BE8523EC856B67E3987C9A70FE11BDAFAFCEC8D5C3149515E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:06.518{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273A0693D40629EC692DE728E6CA8A6,SHA256=8DF4BC7B658AC402662F81AB74E6D7D7EC64A93993BB0421DED1E58AFA184F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000087951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:04.177{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51598-false10.0.1.12-8000- 23542300x8000000000000000118441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:07.712{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3B4F405DB2BBC575704AD2FC4C3645,SHA256=3967D0D472D45ADCE0D8E037A8F4EF5BA03EB03BB597A896447C553D1BDB37D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:07.709{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:07.709{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:07.709{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:07.695{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:08.791{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B140A75FEB9E5125E8FDD56EE92DD2F6,SHA256=22F3F1F5FEE60501E15FC99735EA2797810C4343775DFCF49A73B6E5B3992B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:08.101{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BBE4B4B0F2650D15F8192C1DC6FE05,SHA256=AEC645EB7282C2E281088D38D5A51509D77B8CA44A7D0A77BE725FDCD457A1BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.913{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000118469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.822{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CA698FEA85A503EC87AADB8D1153F2,SHA256=2FE27E24E6E174CC044EA6620452BBEB6B073E47720152293B2C88778FFAEB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:09.205{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425922A0DF8E2072792A0F7E24716E88,SHA256=CAD078C89D4187CEEDA23F34BE69822F8C67FBB7E9049F4FEAC44828194C78E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.395{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.388{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.387{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.382{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.375{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.368{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.364{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.345{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.336{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.332{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.330{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.327{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.322{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.306{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.301{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.293{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.283{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.268{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.246{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.211{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.200{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.187{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.175{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.114{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.111{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000118443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:09.098{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-157MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:10.882{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C211FFDF1C1AF96B22A98F63824F06B,SHA256=42E087006DEE3549A25C251885B352EE8B9E0DF0DBE67B8CAF010F8CD45898CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-388E-63EE-FD04-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-388E-63EE-FD04-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.670{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-388E-63EE-FD04-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.671{A847701F-388E-63EE-FD04-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.298{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F747075B33AE803F05F6CC01ABE3EE,SHA256=23A999C08BB0E5DDDE15FB2B8EE3CB470689D296040F21E4623E51BDC9C611F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:08.277{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64624-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:10.760{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:10.098{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-158MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:11.963{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D45E135BFF0AC5F17407A9B054636B8,SHA256=C7F026DF6BA93B6825B4C73E2D877070D1107CD1814E58810E9395D222014E7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:11.959{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:11.958{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:11.956{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x800000000000000087988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.754{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C8502950D64131D1BA9736754814D56,SHA256=2031781D88FC3B8652748AEC57E21B25893A0453082B8B0763BBCF1C5FFD2A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.539{A847701F-388F-63EE-FE04-00000000BB02}6841492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000087986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.379{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D49F529003B171B8C34769440633A86,SHA256=CDD91506391BBA6F438FB3BFADA30A1AA45239D36EBF2691FF88DB8D3CD1C276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000087985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-388F-63EE-FE04-00000000BB02}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-388F-63EE-FE04-00000000BB02}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.332{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-388F-63EE-FE04-00000000BB02}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:11.333{A847701F-388F-63EE-FE04-00000000BB02}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000087991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:12.581{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=60F5553793E77FF427E0AF02BB785F13,SHA256=69B6635F4A9445AD420722967904BEC4B53C2EE8B556321CAB180913EE71031F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000087990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:12.503{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7059737EF184B2EAB74380541DDE5A,SHA256=AC43F865FA1A28E1CE5A82F1D258107CD089FADB9D60EF9D934363CE5D60150C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.626{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.621{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.604{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.581{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.524{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.516{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.505{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.500{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.499{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.495{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.491{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.481{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.480{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:12.476{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x800000000000000087989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:12.050{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BDC743BB860CD100AC1D56BFC4ABD854,SHA256=05C671637D4C8CA15D51CB8E7D5ACF0DECA378E16825A65FADF7F2F1AF4B756C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:10.154{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51599-false10.0.1.12-8000- 23542300x800000000000000088005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.578{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1748AD1775CCD6AB43AB81543FF46EA9,SHA256=84C7BFD8893BE11A3B995B36DF0FB45A1BE1F86F66178476ED66C4ECAD34736E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3891-63EE-FF04-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000087994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3891-63EE-FF04-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000087993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3891-63EE-FF04-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000087992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:13.563{A847701F-3891-63EE-FF04-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:10.903{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64625-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000118493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:13.039{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA97A42FF18DA9196A221DD18A2DA942,SHA256=BD14455D254E66045224EE0852429E90B17F78E5F50F9C075147B9BE130E7176,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.829{A847701F-3892-63EE-0005-00000000BB02}7762460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.657{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E980D3BC0C2EED88DA97FDCF945CA08C,SHA256=C24449A1E7268DFBE516A2D46DD0D8951546C38B345E5E996E8FCC86D2865EC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3892-63EE-0005-00000000BB02}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3892-63EE-0005-00000000BB02}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.641{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3892-63EE-0005-00000000BB02}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:14.642{A847701F-3892-63EE-0005-00000000BB02}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:14.123{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5669ABC349D9D5851DB3FD9DA390287C,SHA256=15FCB8769C9DC248806E7FEB42E610D05B4984CC3C656D59CDC80C4EFB6B6AFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.983{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:15.214{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CDF3CD949A0CB8874821E0ACA7E546,SHA256=88A0F828D0B7F8CE615EAD137974653803DF9324EA0B62DF31EC861DAC05B343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.569{A847701F-3893-63EE-0105-00000000BB02}24564028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3893-63EE-0105-00000000BB02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3893-63EE-0105-00000000BB02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.306{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3893-63EE-0105-00000000BB02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.307{A847701F-3893-63EE-0105-00000000BB02}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:14.298{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64626-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:16.303{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0263834C25FABE1A27F29E0C87588D1,SHA256=2D1B72C0275C1B77D6EA96742523B4A57F9BA406E708B26FB589056FB2AE27A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.265{A847701F-3893-63EE-0205-00000000BB02}3052956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.176{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78B6F36013588D4383CC52ED60A10F9,SHA256=FB438A4911F05B245F8CB14078E7212BC87867063FD930AF8632FCE480A2771D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.165{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.165{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.164{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.163{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.163{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:16.163{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3893-63EE-0205-00000000BB02}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 23542300x8000000000000000118499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:17.395{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46CCF9E04CBFB525C2A19B486225A21,SHA256=E769A9D9581F2D724338E45399D054DF47E83F19568BE7D5D860786C6980FFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:17.156{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69E9B9C39F65155CCC422069F5E8364,SHA256=AAB39175B1C58DF1A0EA888C1EC482AF042D8CEE87478849A97C7661617C9832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:18.481{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A85EDB35C01332D87380E56B501E16F,SHA256=720B9F56A70373AB2AEE8D4EA08DC6F153D7D74E532E76FCD71E7F9A8B1BB747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3896-63EE-0305-00000000BB02}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3896-63EE-0305-00000000BB02}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.704{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3896-63EE-0305-00000000BB02}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.705{A847701F-3896-63EE-0305-00000000BB02}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:18.236{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498998705C5B5546D4991FA45CCEE112,SHA256=9C58B121976809E0072218F7B45A782F5C1CD57014830166BD2AFC5D991645A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:19.563{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0821F7EC189B3D55D2D42B7FA2B84A93,SHA256=4FE7919385988FE836909A6998068ED5DC882D188E712493326ECA578E0244E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:19.834{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9C8764ADE1A89C35F02FFA8C5DA09B,SHA256=4B5440804BF16EEC1699F747434FD97C48A939BA9A1A3961918001C7FCDF09D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:19.327{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E04B54A2CC3EE61C26D836B9BE72B92,SHA256=782E8EE83C5F1F29DB97106A9EAD99CC54BFA51ABD03E69701D094FADBB67549,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:15.309{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51600-false10.0.1.12-8000- 10341000x8000000000000000118511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.854{3F28B219-3898-63EE-7105-00000000BA02}48406120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3898-63EE-7105-00000000BA02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3898-63EE-7105-00000000BA02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000118504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6225E4B8866D962DEBDF808D523B902E,SHA256=908C6BF6D3D50C768C1BE66B241FC9E81A7D26052039398B4726D9A2340E7401,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.658{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3898-63EE-7105-00000000BA02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:20.659{3F28B219-3898-63EE-7105-00000000BA02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000088097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.996{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.994{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.991{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.990{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.981{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.962{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.958{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.947{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.943{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.922{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.913{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.865{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.849{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.833{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.820{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.807{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.796{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.782{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.774{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.764{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.753{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.750{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 23542300x800000000000000088075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.419{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5D37534D3210C098077B8AD62FDC81,SHA256=BB890FEAC681A5F0EB31FB67A084F950F6EDF8C2B2BCA09F7B16343100760C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.606{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD42267F8572D9B96583F431DBB4A50D,SHA256=8B508DC319E87A74D6131CC8D466F910AEA2F52FBA4B32B114DC80C26D247185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.755{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8657F4F2E0610B0B77016C7FD93B8C4,SHA256=3E2A3603DDF343371AED1608C6135D257CD09A17DD24B0318B47A76D5F46DAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.754{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6215BAD1C09E44DCAE2C21F1AE03F85C,SHA256=267968C1D9C85A8489BD86FDC01E256260768E3E801F8137DB383DBB8A2094DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.703{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.701{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.701{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.701{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.701{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.701{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.339{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.339{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.339{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.339{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.339{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.339{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.339{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:21.340{3F28B219-3899-63EE-7205-00000000BA02}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000118512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:19.347{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64627-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000088104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.022{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.018{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.015{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.010{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.008{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.002{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:20.999{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 23542300x800000000000000088106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:22.694{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF501FEE7297899B90B358032C70F48B,SHA256=AED365353276901F804D42085F04A423EA129A11BCA738EB2D8E0453B5207AA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.898{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-389A-63EE-7405-00000000BA02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.898{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.898{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.898{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.898{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.898{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-389A-63EE-7405-00000000BA02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.898{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-389A-63EE-7405-00000000BA02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.899{3F28B219-389A-63EE-7405-00000000BA02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.823{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=237755C31B49ACAD660F830803199CF0,SHA256=88F723A6081316B56EFB3CFC4F66C46C13BEF6F9D71C68AB7803CEE9E9F71313,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-389A-63EE-7305-00000000BA02}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268BCD75D6318133ED599EC07340A088,SHA256=15712EF16645A09611DD316D1117201286A7D2046DC47FB38F7C13DFF91C2D9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-389A-63EE-7305-00000000BA02}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.204{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-389A-63EE-7305-00000000BA02}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:22.205{3F28B219-389A-63EE-7305-00000000BA02}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000088108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:21.362{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51601-false10.0.1.12-8000- 23542300x800000000000000088107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:23.789{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB496BE249D7805351FAB2B26A86D9A,SHA256=6AEE2092383B295F27BBD8EEB31725D7F99DB6D9419864F1E59BD74AE4D96550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:23.301{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEB6C3ED7D1C96D82DF8CAB22CEA59D,SHA256=DE627AD044B207BC2F8EB1B1FAE72C3550BADE427ADDF6DF8F92A3961AE5436C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:23.101{3F28B219-389A-63EE-7405-00000000BA02}29006152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:24.875{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23B3E37B028232FCD36540C1E7DB687,SHA256=12F08BE85A74C42B9D216853A945E1699097A0C039035F82A1585D26462B9049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.964{3F28B219-389C-63EE-7605-00000000BA02}60921140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.766{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-389C-63EE-7605-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.766{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.766{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.766{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.766{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.766{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-389C-63EE-7605-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.766{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-389C-63EE-7605-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.767{3F28B219-389C-63EE-7605-00000000BA02}6092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.404{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ECBED4D228A7A746811C6628F47DA3,SHA256=58DB0EAD7AEF1A1E5E74AC0F9A547075E107E995E5154F967709161233FA8FAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.295{3F28B219-389C-63EE-7505-00000000BA02}5276580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.092{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-389C-63EE-7505-00000000BA02}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.092{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.092{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.092{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.092{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.092{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-389C-63EE-7505-00000000BA02}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.092{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-389C-63EE-7505-00000000BA02}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.093{3F28B219-389C-63EE-7505-00000000BA02}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:25.973{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E103F46001A50D8727F91974DD77158C,SHA256=00CCFAFC3656D5EA25E39F6DCC42D48713FDF2E97CB3D3F4D7BE7BC1F90D5CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:25.511{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C58EDF9B4C28570AEEF2F2C199C0E8,SHA256=67DAEEC8174D35C2007F90AA20F85881FCCA4F5749D5664C544FD0224E9ECE95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:23.508{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64628-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000118568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:23.508{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64628-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000118580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.776{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-389E-63EE-7705-00000000BA02}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.776{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.776{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.776{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.776{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.776{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-389E-63EE-7705-00000000BA02}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.776{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-389E-63EE-7705-00000000BA02}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.777{3F28B219-389E-63EE-7705-00000000BA02}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:26.600{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1185F385159BC8314CF9FA8A450F4E4,SHA256=E619015BF6BD097E05E18696A90D26C78397681E2B0D28431E9057A4841537B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:24.392{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64629-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:27.784{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC2F4C072F537FFF5FBE506A37969CEB,SHA256=9E6FF1C749240F8CC9AC3A825720F45DB3F4BEA191689FB9CC0A1E8F73A875C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:27.681{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7516105379ADF56ADBB730AC89C0D2,SHA256=4D98CA1B5F7E20BFFE0D1E17F721AEB295DD717609E580947569AE814776D3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:27.062{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDDD5D3FEA13E24C40639B741A75A33,SHA256=4BDFA6D1E40002FC1498DCEE02190809A598FA5B4954EF30BCD8AF18D6DE1290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:28.763{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F35B1972905C4BDEF698638F9A1AAA6,SHA256=CBA15183203DEEBA48EFFC99DFD9229E948685EE4CA0B071D58FD4EE6B8D24E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:28.159{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B829D81D3BF520DD4C69315567FC0A4C,SHA256=73F1FA8052FE09602950F382E42B92C1D6FD66FFC7F3193F2282E0C30268547D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.959{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000118609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.908{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE20C50008631FB1907F08491AC0EAAF,SHA256=51865FCD07AE8282AB9BF9F6D2E59BF2E892573CA4C6DC78F1AAA3351B9E50AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:29.266{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDACA5D8A3FDE8064A713BF59E396655,SHA256=3D69EE934EAC9ED4BE75CBC23570EB86D601CAF6A003E9F37F88BD98223144DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.470{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.461{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.459{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.452{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.443{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.435{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.431{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.414{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.403{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.401{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.398{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.391{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.374{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.365{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.351{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.343{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.332{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.316{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.258{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.238{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.224{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.150{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:29.144{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000118611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:30.980{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1198185C2DCE57241AE0C761CC56D108,SHA256=E000033D4A051CE42A763BB8345C5FA4FC8B34D7E64535540456135F24E29969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:30.349{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37BC1AF18DC21325CA8FBB636E02C12,SHA256=3D550920339247DDF97BB4830128A50703451991D77D0C41E9730C81673D765F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:27.137{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51602-false10.0.1.12-8000- 10341000x8000000000000000118614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:31.984{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000088116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:31.441{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF59758A0DAD7E714B7722D30EA7237,SHA256=EA2A5B9CE0DC8037DA68441C7909B06E100A7AA0F026A13CF63F245050A5C127,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:31.983{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:31.981{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000088117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:32.530{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A08C107A5C568D64332AF053F5FAAB,SHA256=3150C420C7B5905A59EC1763B3EF833B2DD981D9246CB3744CBB030BE5291336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.615{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.609{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.591{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.572{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.571{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.571{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.570{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.552{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.534{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.524{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.512{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.507{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.505{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.501{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.499{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.496{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.495{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.493{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 354300x8000000000000000118616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:30.372{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64630-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:32.057{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B408FF8F70628DC2D0D5DC425EF48E5,SHA256=5B5429BB6F61F6282CF6E239C1E0975CED4B4286329641216FC1B5A07224D7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:33.620{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F8CAD1666F4F802A822390F0F63A29,SHA256=401D16E7F796EBB3350F11B115C7BC5CC47651DBB3C032E7CF70E5199D262646,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:33.548{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:33.020{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE77804BA3C9AAB3890A5F12891BBE6,SHA256=A93C7AEBAB223E4FF8118803E6154CBF5AA236953269A0E4163AEDBD47620D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:34.703{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594105A1ED6C622B35E73FD39C46FFDF,SHA256=56FB17269B63E34927F95862C95D7B02BF00D8000273DC37800D19810ECB6E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:34.110{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB7EB72739AEF7F346C5DE298FD7B1B,SHA256=07C16DB5C0D5DA9291A45416020D4C62F1853E50086C1427330005EBB211FA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:35.783{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680E349DF0EA738FCF5BA781859A07FD,SHA256=4E87A938AC68BC23F3B9A944C17601AB0AB67E48F8173AEEFAF534ED682B6A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:35.202{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFD6BA2DC5D2CA945659818A99CBA15,SHA256=0A6DFE215E484D686A3502141CA2800FC76ED3D6FA2FD6A1E6EA8109F577DD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:32.245{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51603-false10.0.1.12-8000- 23542300x800000000000000088122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:36.875{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4938B961D26A621D3ADE669E38CAF5,SHA256=33DB4CFE4EDF37A73A031FFB8717C40EAF1B3014EA571BC3A3F7D37DEE26FFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:36.294{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CD70651F99C2600F441E62ECB6BC06,SHA256=7F4269FDD1D63835AFBF263BD289962B17DD280F4F46CC146D06E8EBA366B0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:37.963{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDED578DF4FC5406DC2EA876662D474A,SHA256=FEF827B2D7FCFE138B7A322665A6D3223AF08033B3DB2E9ED7FB6C13351D2C8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:36.375{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64631-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:37.490{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA873A31228157E19C88F20C2A5A3DAA,SHA256=450675EFC8FC1119C8C1979889DCFE56B1EB4B67EB0BDC5E780EA7E21ABBDB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:38.577{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D44BC9A6F7EECFB232DF65031D245D,SHA256=8A0044F72CE023FF7F179C8A0EC6A39B45929987CA5C0D57135D292C16DDA486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:39.653{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1043D65B2CF916A2DAC9138638EEA3,SHA256=AC2907F7EF919472FC6F9F34AABB7122249FD631A2793C91589D159297C791E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:37.265{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51604-false10.0.1.12-8000- 23542300x800000000000000088124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:39.055{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1FC8231BBF84FC520A2463A5CBFB50,SHA256=D54AA896066814C35E8D09C69EC04579B02966C6C6AAB1E837C7C961F0CE18C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:40.761{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD9C08DD8B33E03AFBF4631796AB4A7,SHA256=AA9B77065981E6B98DADE881FC014BE634220C9F33D191A91F45295A85C5B16C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.910{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.906{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.904{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.901{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.900{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.898{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.898{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.896{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.895{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.891{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.890{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.887{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.879{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.877{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.870{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.868{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.856{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.847{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.823{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.815{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.797{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.789{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.784{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.777{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.768{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.760{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.752{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.744{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000088127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.741{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000088126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:40.142{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACC693E1D3F4EB865EF1C59B62A1D1A,SHA256=67AD73CB4F90BFD2549D3357916816EAF4B297BACBADC6F075362B5A289D90EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:41.844{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB06138BC39CC59F0789C16F03A9E9AC,SHA256=381DCD8FC7CBAEE6FAD0F7E1BBD1AC82E08AF8683E4A5283B77530121F3B579F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:41.293{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84FAC45B9D83FE69D25807785BE23735,SHA256=469652B2BF1E8A4FD72FCB290D86EF6621BD6A5A4778C870625F87F573A7CFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:42.918{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2913A07FFC80A86D32145CC5E1848224,SHA256=D62200AE54202810BEBC7F1B0D8504FF4A5CB7E0492FC41D14F0D462789D8F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:42.758{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1930364F1BF85A8D2E8598589084A67B,SHA256=03F674D4C9631D572B69B8D6ABA0E48C561400025E50E84D2048E2296C315223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:42.419{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3814270E85AF3ECD0B83D47FE09249,SHA256=037EEF4BD22E991B82422F873AA5518EDFBAB6FF8F4AB3C91A3C43391EA2482E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:43.517{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8756E196926F91E506B33D079341E73,SHA256=BA9C7696098237719B2AEEADF1611DF240467A121A650C6ED1534612C459B762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:44.607{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9415C049FD365CEF0F9340EC71AC8EC4,SHA256=02DAF59491AF5E40F186E67D10B0E5C721340172485EBDCEF9094D627CAA0538,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:42.365{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64632-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000118648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:44.307{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:44.007{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAABB58C43300BBFEAA7BD699B4E710,SHA256=386AD0E71EAEA389E183E7C8A6CBBAEE3DCD379D6562579FD7AC7BE247E7CE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:45.681{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C079F8D43BBA5196A022AA530D26AA7C,SHA256=C3F4AAD13142C03FC482935811444FD970BA4D0CB8C33E0C1665FF63E8FBF676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:45.210{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB879CCE0D421025F8E4419911418EA5,SHA256=C1AE2F077F21DB409EB6874EDBFCF13AD028807A151F69311F672B6048B7D04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:46.753{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C72E8E860041F8C50FA09B5B02BD0CC,SHA256=69139A2ACF9067D0A6788319E59A0E9168B485821C378C2CB99D006353EDBF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:46.301{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5265D739EB7D672153A9963F8F5A1077,SHA256=B2B338BD24B1A535D453F3C21041E0268552595B1E799542FE504AA7951BC296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:43.182{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51605-false10.0.1.12-8000- 23542300x800000000000000088164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:47.822{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CF2CB41ADE398524C71D4FCE91C331,SHA256=8E9100BD650A41BC649C65CAA262865ADEFB9704825D6FFD0CBEB03532882728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:47.392{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC51A8B1692C67AE38B6C095951814D,SHA256=F8351B795D226E2864EC684C5B4ED6B808222E05CB7C65E72088022E2BF2B3B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:48.929{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9369F0554BE5384A14AA093C2CDDC02B,SHA256=EED52CDFDCDE2F9192EEEF7745F912F9F4236734C03CA5620516353C53E75797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:48.472{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B770EF96F3330B1E2E6BC518324AD3E,SHA256=0D8D98E19703EC152BF4B2D3FFBEB3B15E27A7704B393F3D1B676AAC673183EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.532{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E41DCAB6FDE76A949B5A6527A541A40,SHA256=447B2CCDF7C3E6A40862E1FCA36677E965D14547461428F7C3460A0B2BE8169F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.410{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.405{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.402{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.396{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.389{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.387{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.375{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.365{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.357{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.355{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.353{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.347{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.334{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.329{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.318{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.301{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.291{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.268{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.229{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.216{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.205{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.189{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.122{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:49.118{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000118682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:50.576{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D5BC951E304D49D9365E9A7B4DE372,SHA256=CE235D47ABE3AEE504859CDFC97D2B025BE43E4AAF5D9AF3AE46E9E86AFBD21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:50.978{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1A24B459C6CBBCA9E8D3BA7CEB2AA238,SHA256=34826E5A8954BF017BF2492224C6D9474928E142D400DF08E43A745CADFF5F61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:48.185{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51606-false10.0.1.12-8000- 23542300x800000000000000088166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:50.006{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD6E94FABB6A67F9AB007CE102A34B87,SHA256=C6120D85315D73A91DAA8D6F5A1F5EA0F01D7B6A816352F135CC3CC205673E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:48.282{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64633-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000118680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:50.088{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000118683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:51.661{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8543520702CC2060D68F0677FF29D383,SHA256=407C7E74B4BECD68AAA4A340931D06CC068106A50E99918B7CCA63D7604B1598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:51.088{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0821234327322EC9D1D9BC91D235F0A9,SHA256=A68CA0711494B05A34B4A1F22AC536515ABBA10C428E0530A6942FE18215A254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.957{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0B8C826F0C6AB93F2BDFA2E29D0C3E16,SHA256=1DABD04659349F2D569A76F5B3C0D68837F3145EE87CF951CFD64A9FEBBAEC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.755{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE4196141D4FD9DA9742C6D621F8462,SHA256=46664B0D1E7F4700133D7AE2AED86E5D4BEA47C541980199B7082F2B6451D5A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.745{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.741{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.733{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.721{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.688{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.681{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.670{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000088170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:52.180{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D378390E75A91F06AF26524E07BF4367,SHA256=9C2B9C9EB5659829E07E77B4095FFCE931C7DCF8A1DCF65E4C4EACE185F92D80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.663{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.656{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.652{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.649{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.647{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.645{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.129{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.127{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000118684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:52.126{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000118703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:53.721{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867AD1CBAA26DA36E4DD0AF1904727AE,SHA256=A49D4723B581197844D27DCD70C47C2B968D69A5E7E3A426E1DD7028FE96A229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:53.273{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6D1C0817AAB247963A5A98D70F79B3,SHA256=10562D1E3C5BB3253A397D69EAD14032BFDFF46DF123C43A8AE48497435CF722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:54.827{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20066DEF563362547194F6CE1A0621AD,SHA256=2B1E6DB018CBEF8D1BE696CB56F12734AECF3BBC7BB9C427349421D8969E2D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:54.795{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0A77696D986A165BC678CA9FD8F77599,SHA256=F9C2D37F923CA065091DFA0D5AF13B81E028D8849B0F959A3AD12A5C263E0AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:54.363{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C976F32FF39975FD9C8E6D86F5D0E3,SHA256=4C45B0C5918C0843C48924AC63101C14960C1F150537E1E20B86E2308F35C0E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:53.329{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64634-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:55.900{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C590C18CB4B65F19E08B520D7B7B22B,SHA256=08BCF2BAF06A300027EB56B7880E6BA826CD461CBC1C59F99D04720824A81F44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:53.340{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51607-false10.0.1.12-8000- 23542300x800000000000000088174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:55.444{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0A7789FC9A4E4545B03FF55F638967,SHA256=047577D112CF686EDB63B185FD124EACD6CBE13AE2DD4ED032129F069D09B06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:55.186{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-158MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:56.975{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2AE2119C59B74764F69A7A23DA81327,SHA256=B66E3BDF3DB39E6276BFD9A8F37D563EA48C184EB8873E809539B87EB393D129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:56.525{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9936E695CAA31F7DFEE2CE964879F48A,SHA256=9B158B644974CD08572339FCE61106ED576730716F874F4E1947B4636E8AEB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:56.190{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:57.635{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5FA1A378D79F1F9B451F4E73BF14AE9,SHA256=CB3C4B34B6BE9349E430323EBC0B1A0B5A89F6C3A696096EE7F9726AD390ACFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:58.717{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF921AD37528C4D7E21F222DA4509784,SHA256=8ACE453653E26F54114F7211E969EE5928238DC15C0C6A121D8201DCCFA941D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:58.057{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=363A0B63624D4091DD07F5509559F32E,SHA256=FE12995E32B38082EDCF03C4159F22E8E9352ADEF60C6E377BF16F7D537F6AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:59.804{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFD5306BB8489A62A6AB17AD7D8F655,SHA256=872EED1A3AACC7C1D49E01740935438C7AD806A5C71501597D9B76568E148EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:59.137{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5420BC2C87D495B1D2E89CAB2F24F46,SHA256=B6F50CC0304A390AB8EACF3A760C38046F5CB575835DB2F87C4C2C6362FFC814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.998{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.979{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.971{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.962{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.956{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.930{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.899{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000088185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.873{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A238D690A765DBC963470A9878DBD3,SHA256=81A3FEE43D8A2E6A02E2F28B7487426FC320D48CEC32267C2ECDF5C9B4ACF873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.839{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000088183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.838{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.822{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 354300x8000000000000000118712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:07:59.237{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:00.217{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9F0D41D981D132D3FF45718EDD2699,SHA256=293404AFBDCD75338B6D7C201889DF9DC93B65DC81F774A690B5A49AFE4D8845,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:00.800{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 354300x800000000000000088212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:58.345{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51608-false10.0.1.12-8000- 10341000x800000000000000088211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.180{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.178{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.175{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.155{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.147{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.127{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.120{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.112{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.105{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.098{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.097{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.088{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.076{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.068{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.059{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.056{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.040{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.034{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:01.012{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x8000000000000000118713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:01.307{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE96AD1A14FE3BBF62B6F18C82BCCFB4,SHA256=1F7CB3655883BF74782A90CDB71E2FA4A029AFB71DB00D795129FC6832910EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:02.896{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=751A3F030BE96A187DE4FFC73F241854,SHA256=3323A8FB584CBB10B005DC5660C7C2AAC1AD695D23A09D33204246E075186B73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:07:59.933{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51609-false10.0.1.12-8089- 23542300x8000000000000000118714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:02.383{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978392CACC4779B8B849ED2F7131B8B1,SHA256=11325371908925E8A41684E785B58F6DC5D99AB3DF09682200031B7ED739B25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:02.438{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AB168D3AB7D663B18FAA1B2FDC4764,SHA256=3B96FCCE378992BCC25CB8E2927BB58ABF2EB8A4DB19A22B7D6482D050FEEBC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:03.566{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AC49DB37973713D8C19A9E2302F292,SHA256=91B99D6B751BFF6E84EEB01A785D5592DD93C29972BB297142C345AE99EDE594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:04.650{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77B3206F6AE3DD53E35E3E0E419CF34,SHA256=9D1659D7FB14CAE1ECB696150F807B8E85B9AEFC00825255A8E23FB625F6B781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:04.080{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E07F9DAC87C3F461AE89177F314555,SHA256=3A6BF9A1E4625AC81E2D49031F016B4FE527E6A945AE5E379C676BE4ED39D157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:05.740{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5364795859FCE5015F6D26B53DB689D4,SHA256=DD525F5EAF34281493BD3BAAD93BADC87061D3E56C1AAA10EFD0AA0427A110CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:05.154{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F216B02A98A0989183DBAFCC49CD89,SHA256=9B06D91A5ABC7055D45E983F21FC45744BA3D53486FA8FA2D3BDE3B22E5117ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:06.828{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BF12603B3C096A796FDCFF9B193E30,SHA256=3B1198AB58B3B96D345ADAB4D5F69E4ED39F2602650A078B0B4E794E3BF093D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:04.335{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51610-false10.0.1.12-8000- 23542300x800000000000000088218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:06.241{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD355FFEAFEBA1F54CC0B88339EB20B,SHA256=22A0453A142AB93B3DA216601CD75F2523B176E6B95FBF0CFAB88A21CF8B16C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:07.902{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D47B3D43CEED707CC58580B906BC1F,SHA256=ADDAD8A84732BA12EA78D8953357CC0963E98125C1E487FC9371A2855F9F12E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:07.717{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:07.717{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:07.717{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:07.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:07.343{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EB54592C89C6841A15D3432916F20F,SHA256=97AC934CC32954D117C2C1CE36C529BEE66C184FB192844F8D5CF3CBD03EF03D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:05.275{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64636-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:08.984{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF937CBB7F45BD74DC7D8CDFA5AAE51,SHA256=5DFD67501301A87E405763B69012EB73A5CE703B09F8445F3FF02E1172D1CEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:08.430{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B2D7ED2370789C1DFBA6CED6565076,SHA256=AC40B8259BFDC9D550BF3F9E74024F0BE048266577FBEC25EBDAEA1F618424F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:09.528{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EDCAD5015073001372740D8E3ACD62,SHA256=FA6125DEDE1ED91317E1B23FDF64056AC25CC9CD2B084D3F6C54A421AC0A8826,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.940{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.417{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.411{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.406{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.400{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.391{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.377{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.374{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.356{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.340{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.333{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.329{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.326{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.314{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.283{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.277{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.263{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.253{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.242{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.227{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.200{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.192{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.179{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.168{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.113{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:09.107{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x800000000000000088240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-38CA-63EE-0405-00000000BB02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-38CA-63EE-0405-00000000BB02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.684{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-38CA-63EE-0405-00000000BB02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.685{A847701F-38CA-63EE-0405-00000000BB02}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.606{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634C973A897E2B1FCDDEBC67C2E16F10,SHA256=19F13290CC44246707251CD9C353B63D06EB437E9C6C1ED4ECD59BED67FE3CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:10.775{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:10.610{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-158MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:10.124{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01290577FEFABFF8973B147770DC166D,SHA256=72C0BEC3A337224DD40F39CC555D034E5A8008119A1A6AC817FDD6941C6967DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:11.988{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:11.987{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:11.986{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000118753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:11.612{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-159MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:10.342{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:11.222{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5C103B2BEB6DF99D7B31FB965B3D8B,SHA256=28E88A46C4217CD29BB1A1543EC7B686990AFF4D60C80B618DF0FE588F1A97F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.596{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D13B38660EDC61BF70EBD6471F6C390A,SHA256=2A6CFFAC31BF544D62DE70FCAABD23C753F8083E3F7C0D04096F47FC90B403C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.368{A847701F-38CB-63EE-0505-00000000BB02}1081076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-38CB-63EE-0505-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-38CB-63EE-0505-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.180{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-38CB-63EE-0505-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:11.182{A847701F-38CB-63EE-0505-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:12.989{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F80381091C43E32343A371CA7693A7D8,SHA256=834CE6679100DD6B805108586CE4D31B8D73DA5ECBCF03A5F0ABA8F44B3B000E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:10.143{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51611-false10.0.1.12-8000- 23542300x800000000000000088257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:12.045{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=946228EE1C5FF68B348A6B712F4C7712,SHA256=AC979990C4956A35A19CFCB25E2A94FCA610BC7B952D7AE9AFCBF473982A279A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:12.045{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B31CEB562535EB77FC8BF34A94F7167,SHA256=005558DB15A9179128A3918BD856AAB7EF118EC6EE314EBE2E4E386EF3F42FE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.634{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.627{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.608{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.588{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 354300x8000000000000000118768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:10.919{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000118767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.540{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.531{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.517{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.509{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.506{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.502{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.499{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.497{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.496{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000118758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.493{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000118757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:12.315{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3386C56416D52358E06E4FB2E8361605,SHA256=FB64B8B51923F8B2CE8855D67E12A84E3C24EE0809EBE6E4DC9E181B8976A297,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.573{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-38CD-63EE-0605-00000000BB02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.571{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.571{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.571{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.571{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.571{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.570{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.570{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.570{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.570{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.570{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-38CD-63EE-0605-00000000BB02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.569{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-38CD-63EE-0605-00000000BB02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.569{A847701F-38CD-63EE-0605-00000000BB02}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:13.208{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E087CC9592609F1CEA42EE2E1A5F52A,SHA256=2F2268686EE86956881D153D6E57722E62D310134C991F404FF52F9362F8523E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:13.396{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE7D587B012D836193C99069E37A91F,SHA256=B74997C5580C60DC76E775A3E1D5430A6EFFEB4391F30C763AB3E966A3AF4572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.888{A847701F-38CE-63EE-0705-00000000BB02}6923704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.644{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-38CE-63EE-0705-00000000BB02}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.641{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.640{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-38CE-63EE-0705-00000000BB02}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.639{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-38CE-63EE-0705-00000000BB02}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.639{A847701F-38CE-63EE-0705-00000000BB02}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:14.310{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD26970D55D62504FE3D147407942A4,SHA256=177CB1FD3928DC46CACE5CB360E50D6D7FF5DD2428E3E16E6EEA74B80DA97AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:14.474{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD3CC9C9382E2FA3F01B5D70EAB4234,SHA256=10995CBDBC0006CF36C8F22A04B070B1910E3F77FA9D14E4EE725B78044805BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-38CF-63EE-0905-00000000BB02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-38CF-63EE-0905-00000000BB02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-38CF-63EE-0905-00000000BB02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.924{A847701F-38CF-63EE-0905-00000000BB02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.922{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D6F70420210E28F172E34759A5EE82,SHA256=FAF793542A450B0E08C39CCE8C6D70A45165C07C63AE531CA89F70116C4FE926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.494{A847701F-38CF-63EE-0805-00000000BB02}24042640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:15.563{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CFA32477D229465A95EF29526EB9F9,SHA256=4C0A16C7477E92E2F3B672CE8EA00903A1970312CFD748DD3FC6A15E00958461,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-38CF-63EE-0805-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-38CF-63EE-0805-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.307{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-38CF-63EE-0805-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.308{A847701F-38CF-63EE-0805-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:16.594{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66F044ACC3AE9404531B1BBE917DA3F,SHA256=BFE2B411B73D98E456B5A67537F24BE8F5F2C8AA149BEE354B77C82087135E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:16.643{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6936F745D788F4379D2ECB8D9EFF9906,SHA256=18909071AC701F16C747911FF8E66022BE171FE47474FFA488BDBDC7942C30D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:16.106{A847701F-38CF-63EE-0905-00000000BB02}25483524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000118782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:16.235{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000118781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:15.074{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local57149- 354300x8000000000000000118780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:15.074{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local54099- 354300x8000000000000000118779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:15.071{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64213- 354300x8000000000000000118778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:15.071{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local53541- 23542300x8000000000000000118777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:17.734{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400DBA92313D0351ACA95CF0747A4BA1,SHA256=7FE0225708D4048E4A1DA725713F97289910955FB5200A6F8A817FDA539A9CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:17.673{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D7545C040EC82820D65020BCD7A0CA,SHA256=BF93EE0900511CD0FDE55B3F5AE2ED627B95A27562237A674735D127943565DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:18.813{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1E222990B8F492AD48AD9909718123,SHA256=09F4085D1B34D77F959EC379A3D3F02C3AC2F5C89F26B8CD1CF1EC649627008F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.784{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADB3C5BB531B891520BD9C9599C74B4,SHA256=E62D47DD17429153A1C1B3E3F3DF95ACCB41E9139CFB7DEC611B72DE94771453,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-38D2-63EE-0A05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-38D2-63EE-0A05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.737{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-38D2-63EE-0A05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:18.738{A847701F-38D2-63EE-0A05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000088320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:15.272{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51612-false10.0.1.12-8000- 23542300x8000000000000000118784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:19.893{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00ABBFF571C2D8A6C3EA5045D445A2B,SHA256=9A810D7544E298881107F823E2DDC17E29C32472B4E9D47A54A2D288C412D70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:19.926{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=859D8408322D9D4E59B0F3290F20F827,SHA256=FE17F253EB061EF63039E145E1C1AF3D1B5B0D7E7E28565EA7D7F15B56E28EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:19.757{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDFF1DABDDF92822BB8A49FA2689C8E,SHA256=68171481CF9169961B001468A63C69CC7517110E50E61427B5D242082CB88778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.941{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.938{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.936{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.933{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.932{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.927{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.926{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.924{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.922{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.918{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.915{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.912{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.901{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.898{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.889{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.887{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.873{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.863{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000088348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.850{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79C25ACC01C86FC840EACD8D9E9CC91,SHA256=A14DC56B3B4A82B40F4A5487D35A03F5BD1EBA4356F4D2714871BEFFB690551D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.836{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.829{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.822{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.814{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.805{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.795{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.787{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.781{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.774{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.765{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.761{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x8000000000000000118793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.974{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8E94D6EFD3B1D626AE2B10C70210D3,SHA256=43847E0E1F1F7D3A4B90EC2C0BD68E717D9273286F0FCB2AF262D6BA71494F09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.665{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-38D4-63EE-7805-00000000BA02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.665{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.665{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.665{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.665{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.665{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-38D4-63EE-7805-00000000BA02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.665{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-38D4-63EE-7805-00000000BA02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:20.666{3F28B219-38D4-63EE-7805-00000000BA02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.948{3F28B219-38D5-63EE-7A05-00000000BA02}62445324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.772{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-38D5-63EE-7A05-00000000BA02}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.772{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.772{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.772{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.772{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.772{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-38D5-63EE-7A05-00000000BA02}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.772{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-38D5-63EE-7A05-00000000BA02}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.773{3F28B219-38D5-63EE-7A05-00000000BA02}6244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.756{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EBCF2FC6755E96A29F462BA8398606E,SHA256=23A027A47D5F78392BB89279BE509F8A62730DB9CFB90CF4A076C82B4C733A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.657{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1E192AC00024D4BE6EFFD1B4B5BCC1B8,SHA256=45715667BA9881015D48A2D9AC1C387DFEF59524E7558E5FCAA95CBDB1C0D94F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-38D5-63EE-7905-00000000BA02}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-38D5-63EE-7905-00000000BA02}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-38D5-63EE-7905-00000000BA02}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:21.178{3F28B219-38D5-63EE-7905-00000000BA02}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:22.203{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB7B86644660364DE0D738758EEF19E,SHA256=3DAE9C2CB9289E8F1DAB6D61755453ACE74A4144878AC601D5AC38C9823A013D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-38D6-63EE-7B05-00000000BA02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-38D6-63EE-7B05-00000000BA02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-38D6-63EE-7B05-00000000BA02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.908{3F28B219-38D6-63EE-7B05-00000000BA02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.039{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF3EFE5DDF7953016CE2921A39F36BF,SHA256=91129797E98DC21DDC245CF48B06365F27928286059D1C9750506269DDC13E12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:20.341{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51613-false10.0.1.12-8000- 23542300x800000000000000088368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:23.244{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B82E0CB94D9E66EAEA87774FA89F64,SHA256=7E0C2CD2B5DB9AE0BAD615F8C316E5293413F348DB397F243CAD1D27C50F5215,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:22.199{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:23.142{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1C7EF34EB23860200A9C5D004C24CE77,SHA256=30B1DC93A89FCB6C83DC65227CB583CBABC49E72B039D3F08B078C5F56C6F74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:23.111{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1CC273055622FFC6CB986743B3A144,SHA256=5B23E9F727C881CD36476C404D211E932A0FF4FD4044567B2231EAAB5E4A931B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:23.095{3F28B219-38D6-63EE-7B05-00000000BA02}31041944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:24.333{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22585A85118BA19B4DBDC91511C54986,SHA256=018CC1830942F87D09E6531A6FBFBBA2BC65A7DDA7566973ED6223230D2ABDF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:23.522{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64641-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000118845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:23.522{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64641-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000118844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.795{3F28B219-38D8-63EE-7D05-00000000BA02}47562844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.608{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-38D8-63EE-7D05-00000000BA02}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.605{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.605{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.604{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.604{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.604{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-38D8-63EE-7D05-00000000BA02}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.604{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-38D8-63EE-7D05-00000000BA02}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.604{3F28B219-38D8-63EE-7D05-00000000BA02}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000118835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.337{3F28B219-38D8-63EE-7C05-00000000BA02}41526728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000118834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.181{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B918693A2F6331C45D7C7AB4E8879CBF,SHA256=2D68D6C5ADA4FBD640450C24F2855C9C21BCCCB4531A360D1D4B7FFCD78EC252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-38D8-63EE-7C05-00000000BA02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-38D8-63EE-7C05-00000000BA02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-38D8-63EE-7C05-00000000BA02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:24.103{3F28B219-38D8-63EE-7C05-00000000BA02}4152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:25.410{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912348D66D05B934B9B7023FDDB946BB,SHA256=9C3D9F6CFE42BAE89986E117FB6D7529B05021E34C4F6642B4844582D78C9AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:25.258{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85250A58600BE88BB955E9BB9D1AEF9,SHA256=3A15785E0FCDC9EC3F825FBD89CD2AEFF71B7EB8EED19D6CB452693B2FB07DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:26.489{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904B21F9EA4CF81E9628C10417052DF5,SHA256=AE12571F94F04679D3262C1BBCBB523AE36205726B2F747AD662A0FA622A2753,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000118856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.628{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.628{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.628{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.628{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.628{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.628{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000118850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.628{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000118849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.629{3F28B219-38DA-63EE-7E05-00000000BA02}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000118848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:26.331{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0571CE74AE029CEEBAD35B465A4306B2,SHA256=929C8EF976D824F3EED8BDFD52F7E41DBC649D0294CF7F2DA34DA08330C3BC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:27.567{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46E5ED8974F789D26FD3E8158E0D8FE,SHA256=F866575255D56E241EA6D4C4973C207BAE85BE2D1A9135A6CD6123135BB7B604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:27.680{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81AFF367498ACEDD2E076F1C4AC9EA22,SHA256=F91B77776D289AFC32B695312CD575994ADD5FAFF2313D9A0EE118C7086DF05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:27.410{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DB9B911E24C9B5457FE997EE653472,SHA256=F40759C49247AB72047E2E9F89FFE408DA22F376CF9E28C28EC35795B80B34E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:28.663{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12958E83E9E9237D4011F8ECAA476BC2,SHA256=5D9BD35699C01E207BDBD6BB97177AFE438C58FF033DA15FD1309C3AC96438E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:28.499{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3216FAE586A7801BC3F4CA58BFA9B7,SHA256=17C42B398E4784B5D87032348E4166A7F5D4446F0AB6A3F0032B6366242699A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:26.107{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51614-false10.0.1.12-8000- 23542300x800000000000000088375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:29.758{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683E966665647F2B069F7AF2B2957842,SHA256=5A16CCE7065124B16DEA602FD7D4DC8F827DDFB433D9E57A07AB84DEE307A3F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.925{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.565{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063BEA00DC00AE79A106CA45CA78FFE0,SHA256=E9F49578259E337840139ED1BD12A2E64969A57BF08F1A408B19B2F1C40EBD47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.496{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.490{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.488{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.483{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.475{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.462{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.455{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.436{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.423{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.419{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.416{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.411{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.405{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.386{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.378{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.370{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.357{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.337{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.323{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.279{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.268{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.259{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.249{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.153{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:29.143{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 354300x8000000000000000118866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:27.214{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64642-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000088377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:30.835{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0112646DA298AC752676E6D5719A4C,SHA256=A8F38A8282DC060646721EDB89A5DD3251CF39AA36F67AB288CC12AEFAF9E3E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:30.625{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644309A1C1D54DD026BFD2C929559ED2,SHA256=9C2935427E21898885F2F0359E97E9067FF3C8AF5A706D73EC9A0974B4D217BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:31.920{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F9D8A3A59E8C1F7625C7B95EB91F35,SHA256=BCA1C3AB8C5BBFADB76F759FA12119FCDFDA496878329104B40EFB7D9CC18FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:31.976{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:31.975{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:31.973{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:31.709{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DEFEF6D8A30E1AF84EC0364E0906C4C,SHA256=5713E5D1239458BDCC094FFB257B0253089F7512D475D0CA610B370FE5257BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.791{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3F111D6CEFD54EFCDA1C30D25E7C2B,SHA256=2B9803B5ECFB5358A2786C8CFE3AA81502188A264FFF6471E0FE4719A5CF3B4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.600{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.592{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.584{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.571{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.568{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.568{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.568{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.551{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.540{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.533{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.516{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.511{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.506{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.503{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.499{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.496{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.495{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 10341000x8000000000000000118899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.488{3F28B219-14C1-63EE-EE00-00000000BA02}54885628C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136803D0) 23542300x8000000000000000118918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:33.863{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A931012F2AA6961BD43F4E9618DB22AB,SHA256=00116ADE75C021C69E9843CDC6F45BB5B6E7358E2B2DD113789808059F07FE2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:31.126{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51615-false10.0.1.12-8000- 23542300x800000000000000088379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:33.013{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0B2F55BBA7003A58602DEA2665B61A,SHA256=A502A97A6ABD2CB2D65021410B9318F618C8500215C4FA12AF5437B53D50C9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:34.953{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6812F44B858AA742FFE66B7F2C417F14,SHA256=251539C9ACC1F0299E72234490AF1B79255999985429EF2B1490104B9073E32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:34.096{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AFDD43167653392ED0ABFE0D5B17E1,SHA256=0C05AB79018F975DB588C891A1F972296412E304191A524BDC1ECF756FAB73C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:32.259{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000088382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:35.166{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FA025F488A9D3608416D722F56DCD7,SHA256=29C53BB002DDE68151CCE29DB9E7F3F2B6D79095F2812AB5306BC4CDF86860F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:36.253{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BCE150E070B3CE98CAA5C396D8D9CB,SHA256=68768824AE722A0481EAE11A25949911081D9029B0BE61B5890BC6BE6325E96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:36.062{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683A9759E868E49032FD2FA12A3578F0,SHA256=7E503DFA0D587CE37F6BE836CA25A561C471E40E4F15192A153F41AF06080D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:37.336{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E031CA0509E9C4D04DCF1C662E61EF,SHA256=E518ADE5B199725DC37F18AC58AA1FEC2A51DA698680C5CC15FEE7F89BAF48DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:37.167{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FF5655526980961576ED734B5C2BC1,SHA256=16391EF5286081F81C792A59C7D4D5672E7797D6DB66690C623F0291B3E10070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:38.256{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9560F69C6E406A711E007870A65EE15,SHA256=A8F7B109743C8A62AF263E29DF75414A9A55E284420D91F32062FDC3376E6712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:38.438{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AE7AA14B7E1DB232BAFE97D6695B0F,SHA256=79D3911F08CEFE9610B6BD3178E345B324F885E142178FEA4662AA44909D02C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:39.346{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18342A4F61F1D7C138FAA0CB77D951A,SHA256=63CC7D3A4A5F7342A7C952D39C5C9989FEC8F27C50C15EB71D05949D3A8EEEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:39.523{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E4D04134EC1AFE15B28403626B6640,SHA256=18E5E39AD68FE27FDAC34B76074911859C9F92BA3A2302CFC5DBA58C3589E9FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:37.342{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:40.441{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94C7AD92A6F473FB2E8197FF41F47A5,SHA256=BF21C94231E233AC13BD3473A6EC378F833C69C487FEC5E3BAECD8209D4F12A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.982{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.976{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.973{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.971{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.969{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.966{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.964{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.963{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.961{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.957{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.954{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.951{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.937{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.933{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.923{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.921{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.904{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.895{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.862{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.855{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.843{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.827{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.814{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.804{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.792{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.785{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.769{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.756{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000088389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.750{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 23542300x800000000000000088388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:40.600{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AA5A2B3E581AB960D76D611DE51EEE,SHA256=C476EADDFAFBAA666E96E53A39E34BDEB8FE3308D83C13AD8D54DFBFCD225F20,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:37.149{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51616-false10.0.1.12-8000- 23542300x8000000000000000118927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:41.540{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541ED03A4D8654CD4236F2C6A705A6ED,SHA256=2AE260B1FD1F0AE61233D4D33990A3DCD5F9CC7576B8D6970733853E675683E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:41.759{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BAF2B8822B6B3B3C956DC96EE6A41F,SHA256=8F5D0E5637CF7B9E099F87C21E39ED667D4AEDCCEA47DE9B8871C173A4C23009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:42.633{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B580146ECE70D36C05BFE12A7EE92D,SHA256=C48141BBAF1E5C30B661FCCAEDFBFFFFC271416602DE4C99031A9D3FB7285701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:42.877{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD40A964D6D474F183DFAF72BEAF7E61,SHA256=BA2C80B883C851240DFD10C2B5EBF50C9D8EFD9620138D2C049DEC0A9A643813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:43.716{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECAF435AFF02972DAEE6C2AE2CA3C87,SHA256=A3E5D1A19263447EE6223DF17062B17FF2C51560E648E4EC46C51007AFC23118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:43.978{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F468C4716E9BE9877CF690DD7DEDBCFB,SHA256=E7C3797C2A04BEB3E226B20EBB9F8673CD032E096A16980DFB320E2F39DF162B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:43.233{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1CA884EE8A82F121EA3BA823A2647340,SHA256=CF4C5FE676E7CEA930E128D0520DE7F1B3F044EEE345DAF02AC731293E0629A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:44.808{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169D8DB256B386683DE2CEF018DB89E7,SHA256=B56D463A253ED2840C3E818CDB369F84C75EB7E0EEF026C62B190B837C26E53D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:42.343{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64645-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:45.899{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1486C4E4754C535B50E7C6B7FEA25208,SHA256=CF99FDC3B7DDD8492FB176DCE3D0862807DB6F3623347FD6F4827F0CBC29F165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:45.096{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F1D982D38B1D8AF6A7253B71F2EE81,SHA256=204F3F4FEAB71AF2CF29D77869EF44DF9669E02F8D31A349FC9C30594F5BD3EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:42.180{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51617-false10.0.1.12-8000- 23542300x8000000000000000118933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:46.976{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1AE90F6AC4BEED1822AF28EC13876C5,SHA256=7C8A0484B3E82960E519D77C1F95ABD66FE43E0AFA4B0EC4E5AA113E070BB78B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:46.092{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B4C6B971410ED40322A97E8481454E,SHA256=988A58C96898110B4B8FAB0D16511F88587A713787E405D4EAF563AB9D4B8D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:47.168{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD87C6369A6E9D7EC126C863D882458,SHA256=C8EBD557B7F2FBCE57E788FD5168EB9BB2FAB3F3FFD192AB7C00DD1FA44A6767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:48.254{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF82E4F7A1E89E8F602FA8206766B434,SHA256=4F8C3D0A5A56B16BB2BCFCDB009087F9AF056B7BF4F560820A9963233353837A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:48.068{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F374DDE5A402804A5B3477B4A799BA1,SHA256=C52B4FB18F169AC6EB2E9D7E0D5528F85B23192FD2B3BB47E747EF508B795B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:49.342{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F869D828164E500B51B5FC42FF0050,SHA256=740AA4C4DDAB3CF4AA04EAD795608F5366FD600DD117380783C21222EC411FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.992{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.422{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.417{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.409{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.398{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.390{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.387{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.374{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.365{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.357{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.352{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.349{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.341{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.325{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.316{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.305{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.289{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.277{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.265{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.228{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.219{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.207{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.199{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000118937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.130{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74363A2414512687AFC15523AAABEF31,SHA256=6BB2E7247652D2AD9D7FB05E7BF0E15189BDE0DAB84F2B4F846819B0EC8E9EBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.121{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:49.119{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000088429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:50.991{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FA3A8032F38C1C3648D5DADDF44FDBCC,SHA256=8F184D08DEDECD2C1E0ECF97F13D513DB3EF36E27CF53584BEE96FFA75AD24E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:50.444{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AEA65F9C481C58C57654F134ECFE1F,SHA256=38AFB3462D56D4DD15682889550091ED1F0B0D7E35CC5163AFA210EF1C2357D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:48.196{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:50.153{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DA4B588518C099A8FB106444892AB4,SHA256=47C1F32E32129E1C0637084DCE9E1207EBE336A7026549D8F706944D820AE201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:51.523{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81D9E87A4574390D36B1D542C12D4BC,SHA256=8FBF0326D33E953851245E979C1228E51F29CC7D122A36299B67F6850F6FAC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:51.231{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C39D7F83A566FFBCA862FAA230F0BDE,SHA256=D7F4D9EBE43D33B5B407ADA423CFD6357A2933FB1D3071968FBE64EF6E14606E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:48.210{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51618-false10.0.1.12-8000- 23542300x800000000000000088432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:52.632{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A4E402EFDB0955C0A50E3BDA8E3A86,SHA256=D418F1C56D1FE9A0FB8BEEBB3463612AE27729B17FDFBC131815B549E4990830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.665{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.649{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.635{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.592{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.576{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.558{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.552{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.551{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.544{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.540{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.537{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.536{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.534{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000118968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.317{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1473AFBC7FD3B21F9BED8758B9CEA9F6,SHA256=E5CECA47EB8FCB469C0CB5F549984E6AC6B8505C930621A8877DBF63D7454B9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000118967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.026{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.025{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000118965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:52.024{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000088433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:53.709{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F749AC512645D6F56AAAF6C49E5CF65E,SHA256=87530C45A289E2019A76AA6E650A0491F32110F424F9C971B099F46C781EB1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:53.402{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80E06091F4B31A77C549212960C3D1C,SHA256=2D48370B4EF288EAB1F477181DCE8EE2986DEFD4DA4338D45E50E24B5C8C1849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:53.276{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=128161D71B7C117253F7D13D6F1589BA,SHA256=F969120F23CC1930698005C7D3A91F8FA9FCD2012F1C73C5706BCB4DC335E140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:54.793{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B30C8E4ACB226E7B7FBB91B4EDF544,SHA256=AEDD6220B8819ADFC89F7FC69C541ECB6EABA8F885D75DD6797F2A08734DC23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:54.809{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A8BC0919AD0D926BE3940EBCBDD1F407,SHA256=751DB28ACC1DC74B3FF00F0F947DDF879A49FE269B9DA994F5D50C0D65AC9A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:54.495{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B56056EB8D35A6CA89E5F5ADA5A269,SHA256=1F30BA3D5844C0430741B843E4DF4C9B26A3FDE19463399A8CBA1B7C1EE29A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:55.876{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B578350F7E9D2972836C5BAC7AFE48,SHA256=8C738B1DDEF8D982D299C891B60C18226C73A8683D1F320BF1071F1255BAAF92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000118988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:53.293{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000118987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:55.584{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF210B9A9FC7DD5E4AEBCC37C4033C4A,SHA256=1F909A3C1BF561E20D8A4C8E4DA76EAD68CC808DF4DB77505397BF8C8A328A4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:53.264{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51619-false10.0.1.12-8000- 23542300x800000000000000088438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:56.957{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5709C98052018294181558833E33605,SHA256=BCA9098E226348E1879680DC462A6D6C26BE339C5A83CA8E3883511874A1D6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:56.667{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E90DB3819E97E6A6AF5DEBB0996C09,SHA256=8B448632C1A9175BF955F4D611D668EC029BCA211195F2A3A6FB21CF0E5B1796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:56.729{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-159MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000118990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:57.748{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B723D009AC8152C6411074478F83FD,SHA256=CBEA534A133015A920BD14669FC8CA1F71831B244E327837603E964E88A7EB67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:57.737{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.863{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5553A29A0D4FCB4CE646197FA9769E,SHA256=4EDC309391936EC80AA14062244F0D736EB46AEA6907464AC2F5E4C3BB5CAC17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.848{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000119023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.848{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000119022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.848{3F28B219-14AC-63EE-CE00-00000000BA02}21041008C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.848{3F28B219-14AC-63EE-CE00-00000000BA02}21041008C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AC-63EE-CE00-00000000BA02}21045264C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AE-63EE-D900-00000000BA02}50206924C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AE-63EE-D900-00000000BA02}50206924C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AC-63EE-CE00-00000000BA02}21045264C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000119016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AE-63EE-D900-00000000BA02}50201020C:\Windows\Explorer.EXE{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AE-63EE-D900-00000000BA02}50201020C:\Windows\Explorer.EXE{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AE-63EE-D900-00000000BA02}50205700C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000119013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.837{3F28B219-14AE-63EE-D900-00000000BA02}50205700C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000119012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.822{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.822{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.822{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.815{3F28B219-14AE-63EE-D900-00000000BA02}50206924C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.815{3F28B219-14AE-63EE-D900-00000000BA02}50206924C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.813{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.802{3F28B219-14AE-63EE-D900-00000000BA02}50206924C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.802{3F28B219-14AE-63EE-D900-00000000BA02}50206924C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.785{3F28B219-1285-63EE-0D00-00000000BA02}8925044C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.785{3F28B219-1285-63EE-0D00-00000000BA02}8925044C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.785{3F28B219-1285-63EE-0D00-00000000BA02}8925044C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.785{3F28B219-1285-63EE-0D00-00000000BA02}8925044C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.785{3F28B219-1285-63EE-0D00-00000000BA02}8925044C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.785{3F28B219-1285-63EE-0D00-00000000BA02}8925044C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000118994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000118993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000118992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-1285-63EE-0C00-00000000BA02}8322564C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000118991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.769{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:58.038{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0CD5B5AFA06688DF1FDEA8B54BA8C7,SHA256=A8F2DAF574C19543E622222B098DDD8EB5FB317FDFF348AD8D8CBADC226DED9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:59.973{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6580CEC686CC60CAFA3C8BA94D23F6BE,SHA256=792229018F5B53195F9269C5CE523EB174A5326CB9FA8585093D65165CBBD32E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:58.311{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64648-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000088441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:59.228{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B563BF42574A8EC37F6C2CBAC240D12,SHA256=88AB7C64EA4139A1E27318477312E27371FBC153BE58168DADDDBB546AAF07C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:08:59.341{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=55E87145D46B50E7BA8A325ED5764AF4,SHA256=9A24C7E1CE1349D2FAB06C4AE3D4ED9461236EE0F168EB1AA3E2222E32B191C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:00.804{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DB1964D9A0EC6E5707B4E16D3042C1,SHA256=1143A0488E7EC38439D5B979ECDA5E31D6D8E23205D5A7039E914AAED8C78DA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.984{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.980{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.974{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.971{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.945{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.935{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.882{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.876{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.858{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000088452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.858{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.850{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.838{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.820{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.803{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.788{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.771{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.769{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.761{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000088443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:00.324{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448D010625F7C973571ACB4A6FBAD9FB,SHA256=EC844FBE84719911A614B7B8D970A28DDC7236C4BF80AF58112591AC7460EA80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:58.317{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51620-false10.0.1.12-8000- 23542300x8000000000000000119031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:01.899{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE54B5C96606A1BDD6C3161A487B2F4,SHA256=1F07C4F635EC2FE9EA7044CC9EBBD1CD54345A82B74F70221B5F69EBE806FBA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:01.883{3F28B219-1285-63EE-1500-00000000BA02}11241236C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.522{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A913AA62CF3E154FBF763A92875269,SHA256=D7BF58DBEA8A19D027C489E2E4B11DA779414AF0FAA9476079009D5FAD21114B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.036{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.031{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.028{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.026{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.024{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.020{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.012{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.011{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.009{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.006{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.004{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:01.001{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x8000000000000000119058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.907{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.907{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x800000000000000088475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:02.712{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55351E7F00B84B4979752D64DE8067E,SHA256=0BDE961AFC2887A2822CE52A60B30427395E9CDB0B69F03E0A78D3F859476B10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.881{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.881{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000119054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.881{3F28B219-14C4-63EE-F300-00000000BA02}5996ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YG7655QK\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.855{3F28B219-1285-63EE-0F00-00000000BA02}3042320C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.855{3F28B219-1285-63EE-0F00-00000000BA02}3041328C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.852{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.852{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.836{3F28B219-14A8-63EE-C600-00000000BA02}4364512C:\Windows\system32\csrss.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.827{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.827{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.735{3F28B219-1285-63EE-0F00-00000000BA02}3042320C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.735{3F28B219-1285-63EE-0F00-00000000BA02}3041328C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.735{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.735{3F28B219-14C4-63EE-F300-00000000BA02}5996ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YG7655QK\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.720{3F28B219-14A8-63EE-C600-00000000BA02}4364512C:\Windows\system32\csrss.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000119040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.720{3F28B219-14C4-63EE-F300-00000000BA02}5996ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YG7655QK\microsoft.windows[1].xmlMD5=DA4FED877AD4C8A7565D5B6975BC3878,SHA256=7C32F233D557D05A781356E050AE77D2DA7BC382F312F7DFB88EA394EC132941,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.720{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.720{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+415bd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.720{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.720{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 23542300x8000000000000000119035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.439{3F28B219-14C4-63EE-F300-00000000BA02}5996ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YG7655QK\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.424{3F28B219-14C4-63EE-F300-00000000BA02}5996ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YG7655QK\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.408{3F28B219-14AE-63EE-D900-00000000BA02}50204984C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF800622FC2A8)|UNKNOWN(FFFFA19A00AF3998)|UNKNOWN(FFFFA19A00AF3B17)|UNKNOWN(FFFFA19A00AEE1A1)|UNKNOWN(FFFFA19A00AEFB6A)|UNKNOWN(FFFFA19A00AEDE26)|UNKNOWN(FFFFF80061F70C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000119032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:02.408{3F28B219-14AE-63EE-D900-00000000BA02}50204984C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF800622FC2A8)|UNKNOWN(FFFFA19A00AF3998)|UNKNOWN(FFFFA19A00AF3B17)|UNKNOWN(FFFFA19A00AEE1A1)|UNKNOWN(FFFFA19A00AEFB6A)|UNKNOWN(FFFFA19A00AEDE26)|UNKNOWN(FFFFF80061F70C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.965{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A4A112275BAA013E8AC88B39B17CC3,SHA256=ADE275AD17A306736EE724BEC033672597FC6C69719142F070205A4F1E82A11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:03.881{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153973BD2A9907901920291DADE3EE51,SHA256=C0F5FF4B3CD67B7917B455EC91AB6BF1BC375BAEC09F9893CE1C56D2B1BAE9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.855{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=940C0875C51D7ACE4F70043252D2A493,SHA256=3B3E8EEFD831C9387CBB08673C2DCD45D5681614EF11055DED03D05685DBB816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.403{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.403{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.378{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.378{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.378{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.377{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.377{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.377{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000119065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.314{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F389BEBA37952852B3B2C7ED8FC8FE89,SHA256=73CB99B64C98D0C481744658C9801654A830B4900C15B913CFABB674D2BF84E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.094{3F28B219-14AC-63EE-CE00-00000000BA02}21041008C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.094{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.094{3F28B219-14AC-63EE-CE00-00000000BA02}21041008C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000119061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.094{3F28B219-14AC-63EE-CE00-00000000BA02}21045264C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.094{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000119059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:03.094{3F28B219-14AC-63EE-CE00-00000000BA02}21045264C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 354300x800000000000000088476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:08:59.944{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51621-false10.0.1.12-8089- 23542300x800000000000000088478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:04.960{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A256E9D96A67290F0465C97C697C08F,SHA256=CF75B2C5CF9269F331B01D0F90433E1C362C9FB926279674B7372D775D94AE22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-14AC-63EE-CE00-00000000BA02}21041936C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36da0|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f40|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22544|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2a24|C:\Windows\System32\SharedStartModel.dll+b2fab|C:\Windows\system32\windows.cortana.Desktop.dll+a274|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f 10341000x8000000000000000119097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.843{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.827{3F28B219-14AC-63EE-CE00-00000000BA02}21041008C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.816{3F28B219-14AC-63EE-CE00-00000000BA02}21041008C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.779{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.779{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.779{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.777{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.777{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.777{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-7F05-00000000BA02}6764C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.371{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.371{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.371{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.371{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.966{3F28B219-14AE-63EE-D900-00000000BA02}50205700C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000119118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.966{3F28B219-14AE-63EE-D900-00000000BA02}50205700C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000119117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.935{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.919{3F28B219-14AE-63EE-D900-00000000BA02}50203220C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:04.234{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64649-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000119114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.919{3F28B219-14AE-63EE-D900-00000000BA02}50203220C:\Windows\Explorer.EXE{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.919{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.888{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.888{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.888{3F28B219-14AC-63EE-CE00-00000000BA02}21041936C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36da0|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f40|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22544|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2285|C:\Windows\System32\SharedStartModel.dll+b2801|C:\Windows\system32\windows.cortana.Desktop.dll+a80e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f 10341000x8000000000000000119109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.888{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.888{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.888{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.888{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.872{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.872{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.872{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000119102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.872{3F28B219-14AC-63EE-CE00-00000000BA02}21047076C:\Windows\System32\RuntimeBroker.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 23542300x8000000000000000119101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:05.061{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AE8F24C3A9D761574DF4AF27E59CDF,SHA256=202F025A7412C21CF7758CEF0BBE0A71A7C52D6E7B61415FD695B32A3C15816E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:03.346{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51622-false10.0.1.12-8000- 23542300x8000000000000000119186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.629{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B95E1EE96E9615F62F920D3CE247F,SHA256=2171B19129DAD330DC64D11961061E2F69F88DF361F4E01EEC43254669DA1F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.610{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61F1156801828A3F6BE077C7B11C40B,SHA256=A473CDF83D076C64FEC22E506697AE9F7EDFB91EFF142603ED2D1EA154305537,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.529{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.529{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.527{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.527{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.526{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.526{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.518{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.518{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.517{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.510{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0700-00000000BA02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.509{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0700-00000000BA02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.509{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0700-00000000BA02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.507{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0A00-00000000BA02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.507{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0A00-00000000BA02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.507{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0A00-00000000BA02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.504{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000088480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:06.054{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3468A364825AF4AB0467EBECE06BE47,SHA256=04EBF8EE16D2E27D18585D0EC92125880B0B5460B74BC86658613AAB8335AA8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.503{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.503{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.499{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.499{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.499{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.489{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.489{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000119161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-CreatePipe2023-02-16 14:09:06.435{3F28B219-3902-63EE-8105-00000000BA02}6812\PSHost.133210301460398025.6812.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000119160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.419{3F28B219-3902-63EE-8105-00000000BA02}6812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_51p5luuz.0pk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.419{3F28B219-3902-63EE-8105-00000000BA02}6812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_l2qp1bbc.wzz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000119158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.341{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_l2qp1bbc.wzz.ps12023-02-16 14:09:06.341 10341000x8000000000000000119157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.325{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.310{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.295{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}68125340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}68125340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}68125340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}68125340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}68125340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+140a0a|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}68125340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1409f8|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}68125340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1409f8|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.263{3F28B219-3902-63EE-8105-00000000BA02}6812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF967044.TMPMD5=8554CEE29C03241DFB5882E9984AA700,SHA256=FB6542D6D734A4D8C127624D80AED6D404A14B78F01E3564E0322ACDDB2A2FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.216{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.185{3F28B219-1285-63EE-0F00-00000000BA02}3042320C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.185{3F28B219-1285-63EE-0F00-00000000BA02}3041328C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.153{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.153{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.153{3F28B219-14AC-63EE-D100-00000000BA02}11764400C:\Windows\system32\taskhostw.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.153{3F28B219-14AC-63EE-D100-00000000BA02}11764400C:\Windows\system32\taskhostw.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.138{3F28B219-14AE-63EE-D900-00000000BA02}50204500C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+1d764|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.138{3F28B219-14AE-63EE-D900-00000000BA02}50204500C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+1d764|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.138{3F28B219-14AE-63EE-D900-00000000BA02}50204500C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.138{3F28B219-14AE-63EE-D900-00000000BA02}50204500C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.138{3F28B219-14AE-63EE-D900-00000000BA02}50204500C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.122{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.122{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.122{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.122{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.075{3F28B219-1285-63EE-0F00-00000000BA02}3042320C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.075{3F28B219-1285-63EE-0F00-00000000BA02}3041328C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.075{3F28B219-3902-63EE-8205-00000000BA02}58406692C:\Windows\system32\conhost.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.044{3F28B219-14A8-63EE-C600-00000000BA02}4363652C:\Windows\system32\csrss.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.044{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.044{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.044{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.044{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.028{3F28B219-14A8-63EE-C600-00000000BA02}4364512C:\Windows\system32\csrss.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.028{3F28B219-14AC-63EE-CE00-00000000BA02}21043808C:\Windows\System32\RuntimeBroker.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d8be|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\windows.storage.dll+fa4e|C:\Windows\System32\windows.storage.dll+fc51|C:\Windows\System32\windows.storage.dll+f88f|C:\Windows\System32\SHELL32.dll+4d8be|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+1774bb 154100x8000000000000000119120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:06.039{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{3F28B219-14AB-63EE-60D5-0D0000000000}0xdd5602HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{3F28B219-14AC-63EE-CE00-00000000BA02}2104C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x8000000000000000119191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:07.257{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:07.257{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:07.257{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:07.179{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197DD6F779F106279A2A58A42754A6D8,SHA256=7F1162A07227842D79DD5BB89F9F3323453EE036A59774DCAED64206228537CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:07.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:07.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:07.711{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:07.690{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:07.138{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85299D4F28D50C9DA4912315717EDF8,SHA256=11A6E4FDD2ABDCA5153D33E9B215EE8D1855630FC56C13F5BF5F1ACA5EFF0C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:07.100{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C597749DAFAF43ABB950E207814EE32,SHA256=A452DC2C4FE70848BA4A6AFB34949DB8B91739B71E4E5DF14E992C57BFDC65A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:08.214{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19D8DAE6E2A27A7033BE9BA348EF3EE,SHA256=EA65BD8EB105550AD4044CA7EBC8A68FE345E545433F78A8ECF9A31F91DB1F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:08.488{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:08.488{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:08.488{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000119195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:08.250{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6B28A38EDE551433B838E89A754D5B,SHA256=F575651195847AE6D0E933A8CB036297AAB7B41C61DE0970BAD48D924F14AB99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:08.049{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:08.049{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:08.049{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.471{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.467{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.465{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.461{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.449{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.438{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.434{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.422{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.412{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.406{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.402{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.399{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.391{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.372{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.362{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.345{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.319{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF4CE76D3782B10E4DA2B2B868AA0BA,SHA256=3F0940BBCCD7CAB36BEC68720BFB49A41CDD58F2FCC42AA5BBEA345BC7D660FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.317{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.287{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.261{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x800000000000000088487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:09.315{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3621AB155487A84827C108AD6903E990,SHA256=342814124B479DE458B4AE236172F1209640B7E2C653D45315E871C9868C9183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.209{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.198{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.184{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.164{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.112{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.108{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.059{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.059{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.059{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.055{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000119199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:09.055{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x800000000000000088501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3906-63EE-0B05-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3906-63EE-0B05-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.700{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3906-63EE-0B05-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.699{A847701F-3906-63EE-0B05-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:10.405{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C57CD14DB2E7C1DB51C8279FC4F77B7,SHA256=A65EE528BEE9D3FA3B6ACBDCCFB23DFDE410F9ABF4389D2F9CC02D08F722FA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.795{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.398{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1280-63EE-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000119233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.351{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3DCE35F8AC6D07D09D4731A935A732,SHA256=E47E7D3FECC7E6880F096BFDD506B3BF24B77851EA2A05A4B14D01943477915D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.289{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.289{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.187{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 354300x800000000000000088519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:09.320{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51623-false10.0.1.12-8000- 23542300x800000000000000088518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.807{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8A3726173E09DC638F5C7CAD84ADF11,SHA256=C79AB3D0A4B85DF47D3D1D8F893447A1723C8343E7BA78FE20EF30E22A582355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.588{A847701F-3907-63EE-0C05-00000000BB02}3492308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.572{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4BD846C04A57B588397135DD38800B,SHA256=304EB899985C44E23021BCD5CAA9E3C22C582C03750715C6E1B463D52D25DB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.448{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75201B64C734F615344E7B89BDCDB3FE,SHA256=62A57F37D2DA5A1BF2A454AF7F35343BFC2993CC50C191A0A6F1DBEBBF31FF10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.563{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64653-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000119252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.563{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64653-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000119251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.461{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64652-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.461{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64652-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.452{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64651-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.452{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64651-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.173{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000119246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.413{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.413{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.413{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.413{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.413{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.413{3F28B219-14AC-63EE-CF00-00000000BA02}43925172C:\Windows\system32\sihost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.350{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1567549B94797C41481753F2A8101D8E,SHA256=38246DD0EC878CEB16E7FD053BD185F036159AF97502BCFE10CDC33B52A7DA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.319{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F4C4E8B97724C7B82E42F3D5251C9E,SHA256=E257B3A91EAD588BAAAC77903C42B548E882CCF536A3D87E0DEB0894C2231223,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.366{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3907-63EE-0C05-00000000BB02}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.361{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.359{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3907-63EE-0C05-00000000BB02}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.360{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.359{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3907-63EE-0C05-00000000BB02}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:11.359{A847701F-3907-63EE-0C05-00000000BB02}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.241{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.241{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:11.241{3F28B219-1285-63EE-0C00-00000000BA02}8323052C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000119288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.907{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.907{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.907{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.900{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.889{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.887{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.885{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.879{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.855{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.838{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 354300x8000000000000000119278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:10.939{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64654-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000119277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.793{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.784{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.763{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.756{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.754{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.751{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.749{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.746{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.745{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.743{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.577{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.577{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.577{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000119264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.396{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E586FE4AEB575B31D71475499CD895,SHA256=E179348EE58F61D87895CC012D2DB7E518DB59E647C592E780E01059E3AEB86D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.396{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.396{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.380{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.380{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.380{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.380{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:12.567{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2529E53EB9BF18E5BACD71AE65E6BFFF,SHA256=2D9BFCC9E8F9855C4DCE4BBA6DDC81BE876A0E80918985C77F2151C44BEFE16B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.226{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.225{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.224{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:12.123{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-159MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000119291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:13.973{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt2023-02-16 14:09:13.973 23542300x8000000000000000119290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:13.758{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E48D39750F7DEEF14EAB5D67627AAD,SHA256=D72D83ABC67F640DA4B965B6E796502EFEDEB9F349F9931EFC70C56E77B14510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.637{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019B35648EC4AD62184DDA1FC44BC0BF,SHA256=95360AC88291620416596C22BEC7F7BAD6923C198D2564C6E6A0E91D67A4051F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:13.129{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-160MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3909-63EE-0D05-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3909-63EE-0D05-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3909-63EE-0D05-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.575{A847701F-3909-63EE-0D05-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:13.465{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=ACF8E586E2C5518A89CBA7A1EF39B6A3,SHA256=B1019D51D5D4C53ADA88CE17A521718C57940BE9345CC235202BD278B5BA448C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:14.875{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EBD2418CD5E0AEA162B8E1881050F2,SHA256=839AE510EBD158E7A2A685D31910B9F0BE6B498EE3839C43F48D94E271AAA1BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.842{A847701F-390A-63EE-0E05-00000000BB02}40523872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.748{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFB26C1F3AE6B26F59B405409F02C94,SHA256=DBAC30F133E687465F8D60C07E8B787BE53F042CF66EB506FF3B9395FBE02A3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-390A-63EE-0E05-00000000BB02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-390A-63EE-0E05-00000000BB02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.638{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-390A-63EE-0E05-00000000BB02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:14.639{A847701F-390A-63EE-0E05-00000000BB02}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:15.984{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C71B42CE8B539616A8E762F976C7BB0,SHA256=397D66E0A1F54901C86338C41CFD05A8C5F0E6864ACC34E04BE9D37E6754D2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.841{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0281F904BED8E0BAB327F9F365DFA983,SHA256=0372EA020F325FC58E97FFD581B92B6EA6F62DFD48802C86334F25132F2C9268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-390B-63EE-1005-00000000BB02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-390B-63EE-1005-00000000BB02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.810{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-390B-63EE-1005-00000000BB02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.811{A847701F-390B-63EE-1005-00000000BB02}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:15.067{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9E2CD5AC02FCE78D79BFAA1B64783353,SHA256=2594830A095B6EA98DB17256B1909ED0384C8B2BC50FA16923C1B12EF0E73CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.385{A847701F-390B-63EE-0F05-00000000BB02}22282328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-390B-63EE-0F05-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-390B-63EE-0F05-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.135{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-390B-63EE-0F05-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.136{A847701F-390B-63EE-0F05-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:16.912{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AED83DC4F493E110316ABA3C964E750,SHA256=F9DA37205958642E59D48B56FBFE0B8651BC030EF0B568781FA814AC8A474EC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:15.211{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64655-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000088579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:16.027{A847701F-390B-63EE-1005-00000000BB02}16163048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:17.077{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA80573C89CEB0EB4ACD66AEE395B39B,SHA256=4740FA4C0C8B79EC9CAFED8AE0F0482FB6591CB791F0B630B9AD76E9233FC34B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:17.002{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5792EFE57A0D60A69E71CC92F0D141D6,SHA256=7918656F7C284C5F01B65ADEF77555667A7A99081D92A1A029A5C9275219CBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:18.152{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2300BB733ADC630E1DB8CEEB4AAA691B,SHA256=3377981BFBE809FCDF74006C293D9A9D0E6053C3E807EBBB3762059D1CD0139D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-390E-63EE-1105-00000000BB02}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-390E-63EE-1105-00000000BB02}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-390E-63EE-1105-00000000BB02}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.750{A847701F-390E-63EE-1105-00000000BB02}1268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:18.013{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD54ACC87AC8BB4FD0DF0269AC55CCA,SHA256=6C686427D7BD2963985E6DE8B48FC1BB2D75E28B5B11E10852FE380A4A7F2B95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:15.317{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51624-false10.0.1.12-8000- 23542300x800000000000000088596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:19.107{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8AB84CA7BD3DC3234405B76B3F3B8D,SHA256=53718FE43A6EE063E2CA8121A8B87E2CD32FD1DB873CA936A7F836173BF22636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:19.235{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EA18E0194B20FA4B2AF45A74F3C1CC,SHA256=C99793B0E739D2A3FC516DF6B652BE8C4F1F8C6A224A727FB4E361CD45DA1C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.998{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.993{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.983{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.971{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.966{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.951{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.946{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.918{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.908{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.874{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.864{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.853{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.842{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.827{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.817{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.804{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.792{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.777{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.759{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.756{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000088598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:20.199{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2351BC46FEC574C1C72EC03212C7B13,SHA256=3E8D6FD6FA70892568821A837F9E3AF5ED0C8B01A28C5803E48ACD6DCADC93CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.931{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.853{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.853{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.853{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.853{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.853{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.853{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.670{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.310{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B925EEF8197614E82D6500AECA6CD458,SHA256=C43AD0634FDFBAB196B5434EB6B69D2DEEF78A878F59BE0310042BB38E125307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.076{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9D5E711DE42C59AE03660956D510C1E2,SHA256=312619E1772A3027042E18967DE83EE2D253115348D242C5C33708D5BD205E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.502{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50C7755FA69FB8A6D316C71E0C0CA7C,SHA256=4A5923C7F21D16DAC0C11958E640DB5A565E0231DB459CE53A4D399022ED4462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.731{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A073598E5D5A38C71DEBF8ED9463AD,SHA256=1341C7281B85D8BB574D40D77CC86125023762566CCEDD184CC442C94106560E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.652{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3911-63EE-8405-00000000BA02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.637{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.637{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.637{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.637{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.637{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3911-63EE-8405-00000000BA02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.637{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3911-63EE-8405-00000000BA02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.482{3F28B219-3911-63EE-8405-00000000BA02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.451{3F28B219-3910-63EE-8305-00000000BA02}25563796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.402{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE488271B41ABD70058AE8A951D1A177,SHA256=15333266F07D3AA99D2BDACF1232D401551A341DD4E747A926EE81F8C15C0043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.033{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.024{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.019{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.016{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.015{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.010{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.007{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.006{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000088619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.003{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x8000000000000000119314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.076{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.076{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.076{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.075{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.075{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:21.075{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3910-63EE-8305-00000000BA02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000088629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:22.666{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF2F73D5070BF0D5E694CB03FC20A75,SHA256=BFDB7D015AA700FB8594165685C5DDD2658E1D92F9B1B2AC9B3186EC48433DE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3912-63EE-8505-00000000BA02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0707DFF26D9A8215F52551088DB33957,SHA256=EB12B5F37A88B5031ED4459A3824ECA29DD99C6EC6EABDEDD4050C1395965BC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3912-63EE-8505-00000000BA02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3912-63EE-8505-00000000BA02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.478{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.323{3F28B219-3912-63EE-8505-00000000BA02}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:20.376{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64656-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:22.093{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7CCDE931D027653C0E10BB434D360279,SHA256=9B46826F3BCFE024BC579844C89A11727CD7466DA5C402E29816FE1D413F014F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.690{3F28B219-3913-63EE-8605-00000000BA02}1124120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.565{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5C593BC6E5BE11A00AEFD13B3D57F5,SHA256=43C935FE5E78C398690D995914401D7108113539C5FFB0A69B7A2424DB4CBB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:23.756{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8C26FA6B9A5F6E73D5571F3365EDCD,SHA256=AEF929B03F3B95E4902D06D78F06F9FC42A308F8E4E8BA6A154579898ACE7564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.432{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=96A5BF28F305EC866EBB4FB5C13DA7CF,SHA256=7A1084FEBC888180C120E5A074095251BD8F15125F0BD560E45A77139ED7680E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.384{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3913-63EE-8605-00000000BA02}112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.384{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.384{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.384{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.384{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.384{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3913-63EE-8605-00000000BA02}112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.384{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3913-63EE-8605-00000000BA02}112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.195{3F28B219-3913-63EE-8605-00000000BA02}112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.890{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3914-63EE-8805-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.874{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.874{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.874{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.874{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.874{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3914-63EE-8805-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.874{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3914-63EE-8805-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.720{3F28B219-3914-63EE-8805-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.657{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4F6DDEBEDB69774FC00B4329A0F478,SHA256=999D1A2DB28E56217DA0C006CF40BA5975B40F3B081FDD9B6F6DDDE1B178F924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:24.838{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7742646919071F8F086BF0DBFFF6FF77,SHA256=42B3BFE3E6582BAF07225E89980E413F32F2E18CD17AE04E939F9BD5A594BF0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.298{3F28B219-3914-63EE-8705-00000000BA02}58165268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.153{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.153{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.153{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.153{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.153{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.152{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.046{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.046{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.046{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.046{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.046{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.046{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.046{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:24.047{3F28B219-3914-63EE-8705-00000000BA02}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000088631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:21.311{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51625-false10.0.1.12-8000- 10341000x8000000000000000119395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.952{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.936{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.936{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.936{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.936{3F28B219-14A8-63EE-C600-00000000BA02}4363652C:\Windows\system32\csrss.exe{3F28B219-3915-63EE-8905-00000000BA02}3088C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.936{3F28B219-14AE-63EE-D900-00000000BA02}50206512C:\Windows\Explorer.EXE{3F28B219-3915-63EE-8905-00000000BA02}3088C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000119389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.865{3F28B219-3915-63EE-8905-00000000BA02}3088C:\Program Files\Notepad++\notepad++.exe8.49Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\1.ps1"C:\Windows\system32\ATTACKRANGE\Administrator{3F28B219-14AB-63EE-60D5-0D0000000000}0xdd5602HighMD5=5BE76B396AF91837C038EF58CC3AB0C8,SHA256=DE844BAE026E847B6BF54582E3CA331AE3D47ABF6BD7729B174C921DEAED70AE,IMPHASH=E458F0E3EAD86E56BBB64D1C785C450E{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 13241300x8000000000000000119388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000119387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0096bc70) 13241300x8000000000000000119386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d94207-0xe49bebd3) 13241300x8000000000000000119385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d94210-0x466053d3) 13241300x8000000000000000119384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d94218-0xa824bbd3) 13241300x8000000000000000119383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000119382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0096bc70) 13241300x8000000000000000119381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d94207-0xe49bebd3) 13241300x8000000000000000119380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d94210-0x466053d3) 13241300x8000000000000000119379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:09:25.764{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d94218-0xa824bbd3) 23542300x8000000000000000119378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.732{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C7130C7FC2CDB2790F3F07F727A3CC,SHA256=DF88BA3032C2F520DBB4377868EB19A3AC5F1E79A3ADA5C9C0BD73E144967D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:25.925{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F779AE2C81911BB1C2509423A8B017D7,SHA256=B748A59BF02BAA88F21F84A114B1ABF797DBFDDEB51F5C331A7C7EC7611B5E9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.528{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64657-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:23.528{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64657-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000119375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.129{3F28B219-3914-63EE-8805-00000000BA02}25485728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.115{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8805-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.115{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8805-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:25.115{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3914-63EE-8805-00000000BA02}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000119414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.829{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71336C63A68E107D3F872384227F9530,SHA256=0CC1915BE8E5F01AB2C1CFAC91ADC9F4121581A243AF0A6603038252B1C47DE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.791{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3916-63EE-8A05-00000000BA02}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.788{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.787{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.787{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.787{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.787{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3916-63EE-8A05-00000000BA02}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.787{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3916-63EE-8A05-00000000BA02}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.648{3F28B219-3916-63EE-8A05-00000000BA02}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.144{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3915-63EE-8905-00000000BA02}3088C:\Program Files\Notepad++\notepad++.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.143{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3915-63EE-8905-00000000BA02}3088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.143{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3915-63EE-8905-00000000BA02}3088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000119402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.125{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.125{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.125{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.077{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.077{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.077{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.077{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:27.925{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D527E57E3AEB3E59CE6B2B9AB30DAB4,SHA256=4DCF6D8B8DFA1DDEC754AD4ED6253F98B8DA968BD1F131E615D88E213E837176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:27.813{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EFDF09D45705A2E888951F3A2B81DD75,SHA256=B3D350BC23FB5F8B8B64FD741B59164132E197E25867F1BA85A9348049F4E364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:27.004{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531122339D9FA502D826A2E2B8666CA6,SHA256=AA9B26839D34B22A25B077CB2FD4B1C8B669EC1B7DF684E7F3FA9F019212824F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:27.324{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE40ADE24A30BCAD7A32906F2AC6390,SHA256=D1DCF14D3A6A59F9C2AF798D56656A4FE99ED97CDF2C5E5E48861DF711BE8D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:28.891{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE99A6F9EF833F67B5C24207961595D,SHA256=49E8BED705A6346435ADCBF67DBF5CC84C03737AD69E9810CA48D90096ADC09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:28.084{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8328CCE87469B0CABBAAB759C02CC74,SHA256=6A992E8650BFD8FA6B5077D432248D552082458727F22DA9DFD55F502F87935D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:26.269{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.929{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547DB1027A3301E442F44596DB956B56,SHA256=BF0E9269F5648C5B4DA30AEB46794512066733A49FFADB6AC2363827D22EB464,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:27.124{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51626-false10.0.1.12-8000- 23542300x800000000000000088636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:29.166{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DF7ADDC094BF542F7231FEAD71EA94,SHA256=A06CE06D3A3E274FBA44F809B0B33B8C88148EBFC38F81A27ED84D522B4E3FA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.800{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.424{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.420{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.419{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.416{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.411{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.405{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.402{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.390{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.383{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.378{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.375{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.370{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.355{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.343{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.338{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.323{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.308{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.295{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.269{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.242{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.232{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.218{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.203{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.134{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:29.127{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000088638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:30.243{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000BEFE0B9BD8BB11D4DFBEB16BEB524,SHA256=22267BD9D8751FF69F9D9A203D56D230AD899438C2E827FFF2B323D1760179EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:31.312{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4154FEED0A09DBD3AF5EBE058AF33BF4,SHA256=3D12744EC42B15CB9C5C4A894026D88FB7816A5F2C99CF58C5F2B6F585C6732C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:31.862{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:31.860{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:31.852{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000119447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:31.007{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039A946EBF033287588C843DDAEC54EF,SHA256=03832D308FA9BBC4DDD638C3FFFC2B1D0179B80A4B48F0C067A36862102C6C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:32.403{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9369387C25379A9C579994CD24750804,SHA256=AA32AAD7858BA411EC34D63FDFAFD62F2FCAC2E495710BD4653407A394273E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.586{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.586{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.586{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.551{3F28B219-1285-63EE-0C00-00000000BA02}8324572C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.501{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.486{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.485{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.482{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.479{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.463{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.453{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.417{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.406{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.393{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.386{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.384{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.382{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.379{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.376{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.376{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 10341000x8000000000000000119452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.373{3F28B219-14C1-63EE-EE00-00000000BA02}54886344C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001AB98190) 23542300x8000000000000000119451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:32.092{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC019E3D07F119F9FEECE7002F76F716,SHA256=6B376B00C67006F2C61A2AB85841D8611B5E29EEF652525B3890B88BBDFDA91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:33.467{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643FCCC666AD10DAB0CD2686201084D6,SHA256=CFE50EC0CEB696408644ECE71698581E95D77C5A8AA50B8B6E24F9A1861DA019,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:31.325{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:33.180{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C43A77CC3B1815819417D859B253943,SHA256=2CB214E185440A5EE7F9CA32D93EC9F531B62382C238C211197D5CCE900FFDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:34.539{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC1C2E50289EB0D87C4BA76D7917691,SHA256=89B2C5DDA61427433C1036B4749F7942BBF1864900A7C2AB77A0F5E0AD82C529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:34.404{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA6C9283AAEFFED25D0104CDE84BAE7,SHA256=C2CAC808EBDC7E0E4B4A74CB6875BAEDBDD64383AFAEBBB43AA59187DD471C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:35.488{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC4E7A8788169913BDC7F0432274714,SHA256=5188D42090F5634B5F950A998778C85DECFF518E8734E24180C6442EF49EC908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:35.617{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DEF4C8949996E29E39A79BFE6F61699,SHA256=6A9C563F5C2B509533169A03401C78D8396910CF894E9A53CC34FA377D95ED66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:32.199{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51627-false10.0.1.12-8000- 23542300x8000000000000000119477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:36.577{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6650AAD6B633F7EDCCB37DA9199EDDD,SHA256=C4910F66A9D1A11E7488B81534C37A8193BBC41BEF5D77781A1F4B8C0D26A75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:36.702{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE418604E9CEF8D1B6F34C00263A379,SHA256=24EF74C2E8429C65DABF600BC9839AE70C35982F04B80C5A7F0FE202861B485A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:37.656{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898B7F8DAFE0557B0018B1BB90A58DE4,SHA256=2C581ED89F89EBC6A4C5DB9F6232C6C1FBBF48A2C2770CC07C5FA6DDFE8132AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:37.786{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F687260BA979AE4A46A7FED345DA935,SHA256=5AB31BE3806B860A3A01CA43D86F1BB201397F734C156C5AA13556B339C255DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:38.752{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C292682F2D814C3E5FEA7E96AE46DC,SHA256=3D1D9F73729A46822816DD775CD78910BCEF604D3DE308E983D0C7E647D8D21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:38.862{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0023C5D62939BC6FCE61AF8D4011DF9,SHA256=93D1181D49E18D370470D8F7203487028A5AB67BD90915DC33C756A46561E1C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:37.201{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64660-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:39.850{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D11F3706110896786F03EA45CCFF15,SHA256=805A1D0C8986A01DEFF5ED1AA342AED3EA4909DDA2D86F8C68F0C811554DD072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:39.968{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEEF0FFE475AF3349D066BB33AB3EFE,SHA256=EDBF2041EA068CED7D9415F8E07545947BB59C8BFD00431506DA8CF10AFF5466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:40.931{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC03249859FF55B956C5A16749B35FC,SHA256=42BCA3211C560BA137B9697DC3F1C40A4F4840251E6E8F28672EA154B06438C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.969{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.965{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.962{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.960{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.959{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.956{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.955{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.954{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.951{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.949{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.947{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.943{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.934{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.931{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.922{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.918{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.904{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.896{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.863{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.851{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.840{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.831{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.819{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.810{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.794{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.784{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.774{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.761{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000088649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:40.754{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000088679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:41.178{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CBF81C8271C70DBC9CE36BBCFC8D0B,SHA256=B4468ECCE3A14836B7EF2E4EA9572458E8C70D4EACBB497E134CF4A3994817A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:38.164{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51628-false10.0.1.12-8000- 23542300x8000000000000000119483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:42.014{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77603C0B2C5BB9FDF74B61505E860FB8,SHA256=5818DB2F69BC54A95A6FB7FF0ED9A56CED2057F516F1E5A1966BB40CB90671F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:42.633{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D9D9EBC576ED5F826688FA8B8E3A2427,SHA256=00AE737A04BE21CD5E8E344172FFB3C601F31A68684B51D8267F2BA0787FA56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:42.049{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0239808B37D11503B9FDE38019233E,SHA256=8D96F2DD4D0614F9E08AD0D1F01B4871E7F63B1CA06E221EA6A19B5CE76FEC06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:42.237{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64661-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:43.105{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12357086362D4D41E5187A82EFCA2AE3,SHA256=6555CEF7AB5FC56CFC826594ABF1DF705BD82155A3703577DF55468677EBDB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:43.129{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E9E6AE6C079B7601F7802F50D0DC4B,SHA256=B534ADBCFB13C43267ED2BA5B7882446AB6FE4FC7A3727AC5CECE58F72DEF14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:44.188{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF7B9726E6113C9E3FD5E4FC2A87EC4,SHA256=C726CD9616FCBCDA2771F420F736CB256CC7F431FB013C3000FC42D20719F014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:44.217{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D0398066F1AD86CBDCE332271A4816,SHA256=7C72F459340ECC643DF25DAC74745DA530687D60BC16FDB15953BBF483EE6533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:45.273{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB75AD0CDC1BF6D7C36A45EE57BAEBC2,SHA256=C0A6955E2B75EE76DA71A2F70B3C3256BD0DEE3EB7751A6C3D99A06B92ABCC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:45.293{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E50CF2EDDA8C651EC73BEDFE14036B,SHA256=962F7BAEA633780F0F8A143B2D48468DCF4AAFC7AC7AC022207F0E8DAB819423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:46.381{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4078ABA885ADCE334465F826BAE313EE,SHA256=5EBAAE9B22BE91D98D191376E5615A6CE1B464005377DF5A4A9473078FF003B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:46.361{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F21ABB26D0EA760318ADF57D3BB7528,SHA256=8BD5C36D308A16FC18DB09EEE0235FFE44640FE23D6E22E4C18DDF6AD758F6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:47.470{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015D4710F719847D0B7EA7D168AF6149,SHA256=1BA5F6236B94B27CE14468AB04E55CB98F84ACCA13A316E4996EBCD00BD86880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:47.429{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55534A88D5675A041A4F92E7F1ED312,SHA256=618BCBD375F6BA8E7845DE8346513F304676C7A053A8EF960916F63BD68BFC0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:44.170{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51629-false10.0.1.12-8000- 23542300x800000000000000088688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:48.553{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFF893693BE65033278DDD8054DB853,SHA256=18CE4A6C343B1A79CFE54E02C6EE1D8F03DC90070241C7AFC455235B5A1383E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:47.328{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:48.525{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE082182DE445EEE0F8585869A1E3D3F,SHA256=1DF9A0307F8376B32455893E853A176FD2EBAB9F1175AEAFFF5419ECFACCC95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:49.643{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150702748499B2BD8A5992A2629DF1BB,SHA256=06911F7DA4046BEC9007D6CC796A40807A77ACA5232DEC189C98AAB719D52F51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.761{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000119517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.565{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DA6C4C8BC303EC70FE1D88BD349166,SHA256=FBCB421750BB8860F37F09EF6E0807E2B605968032BAEE68E71791CCFCC94D81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.342{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.337{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.335{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.332{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.327{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.318{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.315{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.303{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.297{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.292{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.290{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.288{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.282{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.268{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.262{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.252{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.241{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.231{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.215{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.187{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.179{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.169{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.160{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.115{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:49.111{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 13241300x800000000000000088691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-SetValue2023-02-16 14:09:50.984{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d94210-0x55c257e6) 23542300x800000000000000088690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:50.723{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B07B109AD70158C4138171F19396E4,SHA256=DD77E2EF8AD3F4BCBBB24BE4866029BFEEBDCB336264107AFD5D2CD8EFE57AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:50.637{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67004C650D8A95AA8539F169023440C,SHA256=6A9D45C79B9ACE0256D5691B2896D838F494D5DA8A3AA4C83499AA285AC8C721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:51.812{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A193EE431091805C8ABEACD55AA8A591,SHA256=47D72E7579606E272742EBCBA90E37F226576E551DE876BF0454B6936BACFBA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:51.794{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:51.793{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:51.792{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000119520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:51.714{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E27D88FF808AD238E9C6EFDB4E73067,SHA256=D0AC1F3504FB84C5B46FBD5C857CF56B32C2C05899BFE67CCEAEDE8A7B077E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:51.000{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FCC06C044648980B8C762BCB6EF39E72,SHA256=D35B616DA30FE178FC39FB59401527879041640DA34377719EE349B62D72B3BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:52.886{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F708715B884FD9E1C7AEFDAB666C7C2,SHA256=76C76505BC11FA35615C119AA4BEF87A7961095992F5A4298887193AB1DA9359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.781{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A29F8A9F0145122A8237471E91DE93D,SHA256=9F6E58A2F56161845CCA201514C639FAE809682EF4093CE46B0602418CCD6663,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:49.257{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51630-false10.0.1.12-8000- 10341000x8000000000000000119540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.441{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.430{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.429{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.426{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.420{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.397{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.385{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.345{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.336{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.324{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.317{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.315{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.312{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.308{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.306{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.305{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000119524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.303{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000088697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:53.957{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F6DA929EBC19C6089A5487C4B38852,SHA256=29DE4B1D65DA8BCF0949406FA238F9AC7BE402CF22DE80DFC4DF5C74FF28442F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.881{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594CCE8F4AFEE2D98FB87E17C3113C9D,SHA256=611BCB2797B7FF062974AA45BCE67ECB2DFB4CB261E01D870D867DD809A52811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:52.383{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000088696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:50.061{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 10341000x8000000000000000119566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.556{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.541{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=22481A61ECDEF818F25B6370F12FC88D,SHA256=836E5BE45B52695BDDEF86853E7C84736A4C683F3B12002DA4570B1E3CB1D8BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:53.541{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=84FDA3AE8CFA72836A3AC350B44B530A,SHA256=7519A98C3FED9189F81F437CF7BB2E2AE1623EBBF90998D2E1B7A8CF79E4A8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:54.966{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2760C10C2D876D37D30C96D1D7F3EA48,SHA256=0ACC97212041A5FEBAB772070369BF63352162035CD423CE3A25101A65A2991C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:54.813{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CE9D5D56D0910D28A3DE477A033D902E,SHA256=E4B9F72DEAD1F91CEAC618F7908F681EBA1B49C6D7C01A09C077F34FF02021DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:55.040{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F247A28D85235DB171B96543E9EA18DE,SHA256=F6400946F28574F23680907FD0115CE438B1CE70E8D1ACB32575B4AE0B5726AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:56.121{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B023CCBC79CD5C5033E529E0FE964E0F,SHA256=33025A87E2AC5F5C322C5E84B3C421CC50D6ECB0C419466D4898A8C27850248C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:56.067{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1183D758DFF180BA29C028724F765ECB,SHA256=6FD55943EFB05C7A4285BEABC1D4AC97F6ED35BF5BF5000A314D3087B1B31E9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:55.254{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51631-false10.0.1.12-8000- 23542300x800000000000000088700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:57.211{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A524F4D3ED3AECE1C8845F68C9A5F97F,SHA256=3A89BF02B6F9CF061EF324A78C275E0DCCE5DBC6785257F05A83E145C0C8580C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:57.173{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F9A19FE1DB062B21349B5D4CCAC3C0,SHA256=32D7EC94E48001639555B802208576D1EFD40A58C456F36071E4C8DCE7453074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:58.306{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D732AE177A3E81416DC3F66ECAF2314F,SHA256=5CC1C0906B7F0A10DB18E10B834469CB8E364A2B801010ABC9D8F3C81643F977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:58.279{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-160MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:58.251{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F299E549A5842B5B330E23E260BD5C,SHA256=BCCD47BB4EF42D67B0EFB66CBD3A349946C6246A25FFAB3F40D6B03CDB19BA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:59.309{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467B136823175BF8EF5C9E7BAAC5C414,SHA256=C2EEE0B076E3CA7E0D5C49E242B47B99C4A8B82EC3E2A2DFC36C5BDED0439AB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:58.162{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64664-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:09:59.334{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4753F4D6CB7E92DDAFABD68D3BA20731,SHA256=9ACBD3387658373BD6F0D16CE21B16DBD337ED39007AB782038F1B3EE5B05263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:59.254{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.998{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.995{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.990{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.988{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.987{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.984{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.983{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.982{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.980{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.978{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.975{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.972{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.964{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.961{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.955{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.952{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.940{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.921{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000088718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.881{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.878{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.869{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.861{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.852{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.844{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.832{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.821{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.814{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.800{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.783{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.757{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000088706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:00.388{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D95E0288845B7675648F3D33AACBE7,SHA256=7B48B1BB2BC4C3AFC9BBD833DC052791DD2D9786991C35CE978DB2199D0E9398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:00.542{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.ps1@2023-02-16_140953MD5=EAB1FE34D2118D5B008CF0ECF493627F,SHA256=CB11E9609D57CBEF960595C0666B74E2C4099954F91D5E1E2D4077229BFE635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:00.406{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E79DF39EEA3E36744010AE5EDD89413,SHA256=BFDB149622A00EE3BBCB9F372D76E2A5A6B5553580018B416332E64C2248029F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:01.901{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6322A3E2A2373AD1D1D590C0B42EA35,SHA256=61F175555AE6F164697659F9E3A3432BEBFF3C68E8B399083BCD562B4849FD71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:01.504{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8162E24FE4FE0E148BAD0C3A4B7D8076,SHA256=30857E745ABF6EC303370F30EDBE36E966C6E004C08FC18C2EBE4308BC933051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:02.991{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4302198B115D3CF7DCA3D92D112FDE,SHA256=4F5226E186E79684907D0B36D6EA1122BA29EB538639674C9E42450A38012C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:02.594{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3A2FF2D011826FFF7E396238676C2C,SHA256=F8437C119EAAA82AF6170798FF70B3D71C9C0545CE51E9B51F8AE08C4EA54294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:09:59.962{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51632-false10.0.1.12-8089- 23542300x8000000000000000119580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:03.667{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0719038081F70785BEDD0A4991920246,SHA256=42AE25108DD2E4C39D759EE023B3D320691C2FFAEE3C5FEDC26421FD73D4072F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:01.171{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51633-false10.0.1.12-8000- 10341000x8000000000000000119591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.975{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.975{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.975{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.975{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.975{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.975{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:03.269{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.777{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A297BC34647A6A073F5A09474F436546,SHA256=E004EFA7171038D90CDE6867DE6F7B50803B777037A5FCBED67A35F16E7EC77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:04.089{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18B74FE3804E5EA9D24DC71092FCFE3,SHA256=7CE33CDD927159DF6B5A52532617C23C58064B5F8EF5B1019AC21A6F4359C048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.464{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.ps1@2023-02-16_140953MD5=65FB14C4AC1AF822731456BBF0D83D92,SHA256=75A9D89999BE0DF11059FDC6E2257EA2E633910FEBCA9ADC2FA59E1708C11276,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000119582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.464{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps12023-02-16 11:56:09.298 23542300x8000000000000000119581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:04.464{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps1MD5=13D70E76B0FC13061F8B7F20CF702BC9,SHA256=54E8806288F28FF4F2495C4F67935A83204D131B71749A914FE8FC75409F4B8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:05.853{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B94B0B2FC0467823E467F0662D4A8E1,SHA256=9F0555802F7B0AA71849AD9D8ED0A01E9FBD78A6979A12BAA4192F3DC064E6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:05.172{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C861E790CEF59BB0970DC09CB79D9186,SHA256=7AA501D29B623ACED81B875234F23B602A7DBAD80F90C9F5B3528917EB7C4590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:06.956{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DB1F703B7B7EA949A9D6A752C33987,SHA256=E8DE280DFBFE4DD93BA48ADE4473CB0055D6BD2FD5F56CE1FE91960C6E757F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:06.252{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E79E95C164D3FA40B31D81961CC19D,SHA256=4789ECE74AF4CB9D114E8AC3DEB899E8875D9F8902E4F706CDF58573E680A8E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:07.718{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:07.718{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:07.718{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:07.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:07.328{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9241236459FEAE7BF3D386062878357,SHA256=CCC0CB1836A74AA368715F9E98E51938498CD563BA1456E5AB04BC2605417A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:07.466{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D5BC807E61000D2650C6369B9B3657B,SHA256=1668E78BF6411CF7894F98241E82A063C6827F30BA04E6067B5511CB961C770C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:06.306{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51634-false10.0.1.12-8000- 23542300x800000000000000088749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:08.418{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB7D7B62B9BB5F0204D59D4D72E852A,SHA256=BD21E47E1E54BC71E455C7CFA150655402254752B6EFF856DCB29580F39E053A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.587{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.587{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.587{3F28B219-14AE-63EE-D900-00000000BA02}5020948C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.572{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.572{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.572{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.572{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.139{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4E3A09A3F93162CB4107CA760225AE78,SHA256=D7A09400C0F3DE3A316C21780CEA72AA4D0F938654BF6D475597F9FF90C81712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:08.036{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F86672D19D2C2AEF57C6D8900D135D,SHA256=858CDCAA57F954FA91BFDAF8B24CE6FE5679BF2EF4CFB445078F462B4954A8C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:09.500{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9526FB78E436B77A9D7A1F37A9378340,SHA256=A0336205191793DB0C7B3F8E5666F81BB915BB81B777FD54A87C90DF0AA11344,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.510{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.501{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.499{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.496{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.490{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.483{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.480{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.469{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.461{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.457{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.454{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.452{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.443{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.417{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.408{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.396{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.383{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.369{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.353{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.295{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.282{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.259{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.234{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.148{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.128{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000119604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.128{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C867B0947FD6623DE23FA81CDE97DA,SHA256=B495CFC9A673071B529A9DA700FFBB04A1616D230567BB1B1B697C9191C1F462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.594{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4E5698E95EA9877E544FB7BF47BB69,SHA256=2C1D4ED51E0B32DE1FC6397A5AE91DE4C8375C40BB3984D24A10836983BB8EC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3942-63EE-1205-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3942-63EE-1205-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.563{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3942-63EE-1205-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:10.564{A847701F-3942-63EE-1205-00000000BB02}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:09.267{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:10.800{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:10.226{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000119630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:10.154{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9565BF91694204785BD7BC8A08F538,SHA256=F20683E0F55A8FAB3001DB66454D9430CDB51A8072E0ECC429A30FDE7614899A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.974{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E780A1695FE4C50C92AE719D42A06E39,SHA256=00AFB2AD595476788950E16EEF5AA44D5A9FCDBA12F6A2F6599D027B3DFB5DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.651{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=916CE55566278B844FE27D2AA4ECF68B,SHA256=2EDF63D61B48DC9502C10BE774D40EC09273D3F0B343E6F73C0388958F7F9F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:10.955{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000119634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:11.233{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C8938C01CC0FF98275A9D9AACB1CD5,SHA256=21AABF142886F45F16F9124EBB18985478AB713E8B8B359982258719C50AD766,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.417{A847701F-3943-63EE-1305-00000000BB02}36003528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3943-63EE-1305-00000000BB02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3943-63EE-1305-00000000BB02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.229{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3943-63EE-1305-00000000BB02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:11.230{A847701F-3943-63EE-1305-00000000BB02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:12.733{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A839E2E2D46A08C59790C3F52A3E8F21,SHA256=56E00B81CA169C2BA3A8C97871E92D35A5C183D1EED61AC3BA6A1435BB681490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:12.732{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=65D1C761FA2B39CB509AA4D6F9A321A5,SHA256=119E1C9ABF92556A1C06922806DA9798C020590F9F11ABD7C989054DA64F753C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.968{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.951{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.948{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.945{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.939{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.911{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.899{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.858{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.840{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.820{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.810{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.807{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.801{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.795{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.789{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.788{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.786{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x8000000000000000119639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.294{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E4F238A83B06A70F8176E57EC5DE1B,SHA256=AB7D858F9918FEC69454F05C9E0427B2D5B835691877474F51912B6842916F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.276{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.275{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 10341000x8000000000000000119636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:12.273{3F28B219-14C1-63EE-EE00-00000000BA02}54885624C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080F10) 23542300x800000000000000088782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:12.077{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=87BED477297C1D93A38E152DB3681828,SHA256=BA00CD0FD22C573D6F829A104D3DDCDA6F91BD2E9451235D2EE870B0389FF382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.816{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE79000B3FC7A0813352F1A22B28CE9,SHA256=C193BE5632D0DF25884473CDCD3178C22D5350204171EA27FC0C4C41AC778F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:13.645{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-160MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:13.348{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1CD9E91563D75F0B3AD566149416E9,SHA256=5B9BD76EC4C421DC72AAC47412D83594E207DB376507EAA78588F1E59ACD04AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3945-63EE-1405-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3945-63EE-1405-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3945-63EE-1405-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:13.582{A847701F-3945-63EE-1405-00000000BB02}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.917{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164381E2D57CF924E5AF454534404B15,SHA256=8B1F4BD8B8941CAE7F889D958DA8FD323C9DF4FC7DB1281CDE80A090DFFA2E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:14.649{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-161MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:14.429{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8384B08ED37BDB903321A947AB6981,SHA256=52DC0D2DC11F2BB7807B0A12655BB9F416FA3A91FED78CBB42778FBA50FFD583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.809{A847701F-3946-63EE-1505-00000000BB02}2460212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3946-63EE-1505-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3946-63EE-1505-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.636{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3946-63EE-1505-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:14.637{A847701F-3946-63EE-1505-00000000BB02}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000088840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.992{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:14.401{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:15.507{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912A8038352F03D9595B025C5ECEFFFA,SHA256=C023243A5ACFECAB02777B499B499F5EB8E5D566C551281A0999AED225236606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.470{A847701F-3947-63EE-1605-00000000BB02}20443112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3947-63EE-1605-00000000BB02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3947-63EE-1605-00000000BB02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3947-63EE-1605-00000000BB02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.314{A847701F-3947-63EE-1605-00000000BB02}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000088814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:12.146{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51635-false10.0.1.12-8000- 23542300x8000000000000000119663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:16.580{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50AB40978B5D3E8417EE42CD780DEDB8,SHA256=D309C6E0C7F3A1F1ED71256CC66230BA58F367C117BF882E7F215C6AECF9AC32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.181{A847701F-3947-63EE-1705-00000000BB02}31243052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.143{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.143{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.143{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.143{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.142{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000088843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.142{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 23542300x800000000000000088842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:16.038{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42FA15AAE09D1249AF779D2130D285E,SHA256=A780CFED00552714C8A16BF4AE65B8F3FFDD4DBF48E1AD0381E4AE0823021B87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:15.991{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3947-63EE-1705-00000000BB02}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:17.665{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FE727623298B51E1C4F94A5F3A490E9,SHA256=F7537D2EB388BA3B579AD70A412F4EB9D21022579ABC7F0A8189E2C275020242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:17.257{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7BC8CD17C153B65F5B5AFDB10BB63BD,SHA256=B8D58F556ACF3BE5E63052D5189AE6B1A99251F54995426D97843BAD8A33454B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:17.013{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D5071D3306D1B13BBB0052DC8F09E4,SHA256=A913B1D9C7996AD52342A0A430BDB43FE11D6349013DDB8B060644C469230035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:18.743{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A04CAA99737F728E65C3965B241744,SHA256=4B4B692425FEB44D478F849B510EBEAD8B59365D9235D13106F92071AF855F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-394A-63EE-1805-00000000BB02}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000088855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-394A-63EE-1805-00000000BB02}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000088854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.760{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-394A-63EE-1805-00000000BB02}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000088853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.761{A847701F-394A-63EE-1805-00000000BB02}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:18.109{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D863D29456E86CDB1A2CC57EB06D7FFF,SHA256=3713F27ECEA364D29314307D732EEA2C4D5F0B3A1EAB6CE154C10753ED2DEDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:19.830{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2692A4A61A8F75E35A56D56812F9A9B8,SHA256=AEC0BDA4EB0B139884CE84A14DE0B78B182E101825CE73377AF72F0B5AF67D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:19.200{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57077CAF774C2C2C5A68A54D77CE0498,SHA256=8561B00D1ACDA287A6A7F08D346D1581863E093C55572611E725AD12412913BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.913{3F28B219-394C-63EE-8B05-00000000BA02}65284752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.913{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31B43B5C0D8472F7A81FF6FCEB70123,SHA256=1F0D2C07E3AC99F035412C6A514129B4B0A9DBC8D63CFE7BF69B8B3572FC1139,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.994{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.987{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.977{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.972{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.962{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.954{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.933{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.918{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.876{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.862{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.849{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.839{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.831{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.818{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.799{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.787{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.774{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.758{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.752{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000088868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:20.306{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985BF2C1946D68CC318B511CC6B995F7,SHA256=B1807C099A6A5AD41C55227847764D75263E30F9DF6DDBE0611F2781A82033D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:17.295{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51636-false10.0.1.12-8000- 10341000x8000000000000000119674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.698{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-394C-63EE-8B05-00000000BA02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.698{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-394C-63EE-8B05-00000000BA02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.698{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-394C-63EE-8B05-00000000BA02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.699{3F28B219-394C-63EE-8B05-00000000BA02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.480{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8096CBEDC4F7C9B5CA184D6F8E4E6055,SHA256=4FA823C8A39B52DF18AA0D864E2C5E3A3FD52EA0BB7648AC144423622D5C131E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.803{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE6FD5B98F553033CD0ED7361C7574C,SHA256=DDBBC148B1F965B95D949B7B2A32E1D8827D0FB705E791A6E0981D606FF05121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.458{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7A2667ADB650CEFEDE8629DAECB74825,SHA256=2DC90DD738840D8BCFA0DDD6A49F09931D59E5D63A3571E249E40BF351E3DD4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.366{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-394D-63EE-8C05-00000000BA02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.364{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.364{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.364{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.363{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.362{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-394D-63EE-8C05-00000000BA02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.362{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-394D-63EE-8C05-00000000BA02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:21.361{3F28B219-394D-63EE-8C05-00000000BA02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000088897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.032{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.029{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.025{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.022{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.021{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.016{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.015{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.011{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.007{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000088888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:21.001{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000088899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:22.577{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DB661C503D11689D789591C627A798,SHA256=8F6A36BCC790F58D530D35E691A5118679905BDEF2FF91AAA4A883807603BE61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.921{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-394E-63EE-8E05-00000000BA02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.921{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.921{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.921{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.921{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.921{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-394E-63EE-8E05-00000000BA02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.921{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-394E-63EE-8E05-00000000BA02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.922{3F28B219-394E-63EE-8E05-00000000BA02}5744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:20.219{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000119695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.029{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-394E-63EE-8D05-00000000BA02}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.029{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.029{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.029{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.029{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.029{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-394E-63EE-8D05-00000000BA02}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.029{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-394E-63EE-8D05-00000000BA02}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.030{3F28B219-394E-63EE-8D05-00000000BA02}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:22.013{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE94DDC233798ACE123AE272D7F9350,SHA256=23817B8E5C3C13B64B66140AF6C122F4BD3B43DD8B6FA29D5C85B9842BB331D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:23.642{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA851CC34F1ED5107EC70659AB8CA77F,SHA256=43B7B0402EA7FD10BC528F919173A2FE592395A3D1B9DF3E56272E09462AF493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:23.663{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8A3A0C0D99FF577034E561513DEA5C6A,SHA256=B78D5A9D192423E37B7578EEE4B9BD68B3417BE065872620A6E21630A315EFAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:23.203{3F28B219-394E-63EE-8E05-00000000BA02}57446612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:23.093{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEB88BC5507604E6CACBA410E9B9691,SHA256=E8A61831BB860720B381084D497866EA75FD44D744252BF1989E8E4F7792B77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:24.741{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07EE6BEED7AB670FD29634F68312B9E7,SHA256=D200F727A0B68DCA1606D93C9D24BB818F6C60F5FCF46B4CC2249EBF6AFFF134,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.971{3F28B219-3950-63EE-9005-00000000BA02}61727052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.618{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3950-63EE-9005-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.618{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.618{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.618{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.618{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.618{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3950-63EE-9005-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.618{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3950-63EE-9005-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.620{3F28B219-3950-63EE-9005-00000000BA02}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000119717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.263{3F28B219-3950-63EE-8F05-00000000BA02}68562896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.170{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12553CA0600401D97C8B8153451066C,SHA256=AC26857B13B5EED06B5218485E5DBD3B99396F9997C1D5DC0CE866937493A8C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.060{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3950-63EE-8F05-00000000BA02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.060{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.060{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.060{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.060{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.060{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3950-63EE-8F05-00000000BA02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.060{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3950-63EE-8F05-00000000BA02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:24.061{3F28B219-3950-63EE-8F05-00000000BA02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000088903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:25.826{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC14E231036B88964A8DCFF125F4A717,SHA256=92220BA72A2587692967A9C976574DC2B2D2590DD06AED5496EC53F9F54050BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:23.535{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64670-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:23.535{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64670-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x8000000000000000119727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:25.252{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189CB06497EB2C81232AB32C7AE8DB86,SHA256=50B1BE39B4F79487DBACAA0940E1B437723951045AD7F2B24A132E368830AEF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:23.146{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51637-false10.0.1.12-8000- 23542300x800000000000000088904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:26.911{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D08FAB47CA428F2B5B47A3F1C3B46B83,SHA256=0754F8A75A7556EA57E5488C165B351CCFB6023F05C22B32427296DA166A521C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.639{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3952-63EE-9105-00000000BA02}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.639{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.639{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.639{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.639{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.639{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3952-63EE-9105-00000000BA02}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.639{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3952-63EE-9105-00000000BA02}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.640{3F28B219-3952-63EE-9105-00000000BA02}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000119731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:25.225{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:26.326{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E3022759C50A91BA7CCA8D50D3CD7B,SHA256=A42291F4803F3099FB644AB2F8DC6A13B3872F0A9815E9F005BC2D23D8143CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:27.987{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50784A6F5B7B6D368AFA61A5E5582C28,SHA256=F35E0A8042253392DB671DE8B8E252FFFBDE08BA42006212FDAFABA209A66A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:27.663{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B9882A2C3F4D01888F05FB24CDA4BCD,SHA256=1B61AD31A58DFC6605A4332847E9011668F8A61C6C0A732F0B373810BA0E35E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:27.409{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1C565BD944C58EE7BC9D0BDFE842E1,SHA256=D79A451EA8A5DEBC301DC54A6CFA9D48776BE509966392E3DD4114BF2EEA7FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:28.586{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7673336931A1C8F9C775AE2DC83B1EB7,SHA256=46F0EE55F1B511450A8C41F7453213060BE705E97CDE899CC6C841BD0984C1FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.947{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.636{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BEF8E32A2A116DA182CEC755017B3E,SHA256=788AC3D519A9752A8BE6B10FF43322790AE20B7E11960C85132A7DF2D3E94E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:29.083{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50EC82FD67756AF564F7BE908F7CFDF,SHA256=12B543F1040AAE7D15D7DF2F50569768CE16BAFD504DCEAEA53B068E25D2EA0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.433{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.429{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.428{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.422{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.417{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.402{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.392{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.385{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.383{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.381{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.378{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.372{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.355{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.349{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.338{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.329{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.319{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.304{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.274{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.264{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.253{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.245{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.134{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000119743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:29.130{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000119770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:30.796{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6D79BD1AECC3F9DF511246C4C0FFC5,SHA256=9D8C710327FF7D52B656FEEA70CC1EC76E5AA9C1AD72BF8DD89BFAAB5ECE9F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:30.165{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F42162F61D669D554BAAF4858CE0B1,SHA256=79D0AC991863DE31CE25C787BA8148CF51C6D1071C39AB591DAA8029594D2FDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:31.993{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:31.992{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:31.991{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:31.887{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B2473C91A5995BED5DBF127642AC46,SHA256=2469A73CA5AB9D5BAD7FBE6949E7430DB394570EC8B27715928267B2101F4185,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:29.174{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51638-false10.0.1.12-8000- 23542300x800000000000000088908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:31.232{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF88532F723B2B866302985B7216AF1F,SHA256=2A5C3B7FC697756EEAA2795CFC40F655EA93540DB5D134E4803F5666300D36C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.951{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B33476E2B0E9767C1EF6969D1B9CC3,SHA256=669286921322A8C73A052F1F6BED75B408351265F3B13B4AEDFBEA19C9BC3946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:32.325{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A993D4148657254B026EC38185EA0E0,SHA256=3DB23FF411C075DCE339C0687F739C0E353CDED264B9B59954BC9CE09FC7BABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.690{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.668{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.665{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.663{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.657{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.632{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.610{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.573{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.573{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.572{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.551{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.548{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.537{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.522{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.516{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.511{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.508{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.506{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.503{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.502{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:32.499{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 354300x8000000000000000119775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:30.358{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000088911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:33.376{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381F625E4170A7E31D4879B9F3CEF8C1,SHA256=3D0FCAD094433871B412CDF7BDD00C7F1AFDAB1B2BCBD7F6140B0D346C308990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:34.449{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6149FD8CC24CC39C5DD47BE2438E12,SHA256=2EFE7ED26007B94F846CE8EAECE03684E5C9E5682835570000067DCE2F41D547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:34.036{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A823FD02FD719755F6CAE1C96C004E82,SHA256=E394AEFD3A7306492D24D418BB819AA193DEF7583E57B656AEC22A91783592BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:35.536{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070063BC7EB4C18DFDD9D6782788EF07,SHA256=21B6BDA87832F1D86A64FDC37F435727B4C129AE46F1E4EDDDF0FF89BEC5DDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:35.592{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=40D862F7AD473C03451ED48CDB75038F,SHA256=6F1739B2BC7B018811DA83CC8790CBD4C8B6BB9950A7AD4FAC000E1BA97BCCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:35.123{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE6C94AC8D845BFD5EED0AD2F6D8FF1,SHA256=79BE0672599D55120BB2679B1AC4E64ADE495A27316559F4C7B1F943C5AF6C42,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:34.279{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51639-false10.0.1.12-8000- 23542300x800000000000000088914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:36.621{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05565E50481ED41EF3383940A33BA291,SHA256=6E4030CD45522282AF926331195508AEE60816C4D1FD3698DBCB8AA1210046C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:36.210{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E965A5B664C50D90F8FEA00058AEE1B,SHA256=3481579EC456CC009C4FA3E1C07E67EFD687050B6A4F5DCB5CBB2369AC72F00A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:36.147{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000088916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:37.702{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E8E9F4D1FB4966FC9A5C2FD26120AA,SHA256=D670F8917FADFD6BA1FE88A3F011AC47BD671203F8A722AE2FFF241E9EA267E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:36.310{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64674-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000119808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:36.310{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64674-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000119807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:36.307{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:37.374{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.ps1@2023-02-16_141035MD5=E3847747D55B5F06A70F1C49B648691E,SHA256=7EE7840EE6473B6F0F2B59E95966FDDE8CCC973B79A56BB4E4645482245E3D5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000119805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:37.374{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps12023-02-16 11:56:09.298 23542300x8000000000000000119804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:37.374{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps1MD5=D0B225BDBE6CF943A6B8B1739F3E418E,SHA256=A414AFBC56D5FE7C820EDE282934CDF37C92C1C1805403A6833BA25D44EF11EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:37.295{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2593F9699EFD90572EE0EB186915BF1,SHA256=D1C5C13F4D877A4A7D803B4F6E742F0979BCACA3EA8A8BDC05A6649660251840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:38.381{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A16053A8C41F9D8C4D1E4264E700EE,SHA256=0BC5151C793C75C893A32F3EF4BCEEFB64D3442C97C13546216C2C3D32D96D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:38.786{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757526280E0C46A3E6DAFF436C0F783F,SHA256=7BD7EC9FB7A4A970A596F33BADD4040A590472F0A5D9A37D1096AC8DC7D31C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:39.878{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7F28D3D635385D8125127D40CAE218,SHA256=899AB01BC957DE67B7CF01BD5C8BC41FDC46D5E3B46EE5AD1686B8249D8AC88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:39.446{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1470BA45EAA1E9292B983FF21E76197A,SHA256=37222BE803FB4AA314D71FE94B0A3B3ED3870475B516F852CD715A7EBE2D7D2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.974{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.969{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.964{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.960{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.960{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.956{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.954{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.950{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 23542300x800000000000000088940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.947{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A875F5E69C4CF017F9D625DC51EA3B71,SHA256=EDEA10DFF59D7140A8FDF2C7E18B1C23F8F0483F8B1962C1C1C181BEA51A1D48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.946{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.943{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.941{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.935{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.917{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.908{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.900{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.895{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 23542300x8000000000000000119812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:40.534{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E62D84C48649703C54117C539798FE4,SHA256=8AAD1CCDAB1A50AFF2A2060ECCDD886D38F31CED6866EA50C73534D4D7C86947,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.873{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.855{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.820{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.809{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.796{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.790{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.784{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.775{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.768{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.763{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.757{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.746{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000088919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.744{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 23542300x800000000000000088949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:41.915{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452B1E00DB0C3206702E8BBEEB1F81F5,SHA256=9450F92196BD6E304C49B3B1F991D2F9449BF05FA17C692014DA3CCA061A08B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:41.623{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6508740472A146B6049C7BB672611596,SHA256=7942E0356B6D7884BD05FE17BFF024D6D7FC35CDE03D47DB39006DCFF41335FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:42.995{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10CB8C65B861D894AB0D0C348607708,SHA256=355A69B1E546C7310F424C8D024766AD061FBD744555CC7890B114C92EAE3874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:42.708{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB389CDA6D5B3BAA9F1C8A284C3942C0,SHA256=4650EDEFAB00D24B91BCBCAD47F8E370D98D740C2B6C8A1FFD7543DFC4D27AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:42.185{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:43.791{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC0611D8F89C300CE3D2147B3D9484E,SHA256=8E971DC99961D9A877B1A70DC9C43AB7ED9FCB3AF1E92772AD9C796EBEC91634,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:40.216{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51640-false10.0.1.12-8000- 23542300x800000000000000088951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:43.136{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=038CAB1CC333CE6A3026143BF1DF42BF,SHA256=6F6B8EA717613F972BA66FEA05DF67709312C7890AF002EB3EB2BAE092C3B108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:43.682{3F28B219-14AE-63EE-D900-00000000BA02}50206100C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:43.682{3F28B219-14AE-63EE-D900-00000000BA02}50206100C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:43.682{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:43.682{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:43.682{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:43.682{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:44.889{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A94DF5A63ED8B739341123CAC0DC9DB,SHA256=3490664B7BAA9D4CD2230E36FAA8276F300A99BE595EF96F0011BD1CC3C0E4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:44.083{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F489AB0549E92776877F1B99A9349A9D,SHA256=C251AF8F762C026031ADA7B9345DB0A69798884BB63B2598D33D89F2E00755A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:45.984{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE666096B07E8FAFE2F838083B0745F,SHA256=E15DBB790D216B0924753A20FE8D466D963BCC2FD131B4FCC8680E40AFF12864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:45.172{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1861787FDF1942E25C7977DB601669C,SHA256=604462D87BE3CBEBCC39681859B60A49622015E9FEA5C4B7B55846648117FB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:46.251{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F86915B93D2277C388B3EF519E7EEF,SHA256=15DFDF6F473595A0099232BF09B096AC8E2AB586192DA0196232B678ED5435F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:46.837{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=10F783541706DA6B94246365E7E93E74,SHA256=40EE612528C4EAAB62D984CFCA33422FE15CF87B93B393B9911A904D483B9D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:46.093{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E661607D9C17A797162E8FB7F95E6C08,SHA256=88A302B5B8AD3DF02B8BE64AD31770FF29ECF8F9D48185EEE091821349E032DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:45.320{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51641-false10.0.1.12-8000- 23542300x800000000000000088956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:47.324{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9312F126AF3FD25F1870AA9CBEF4DE33,SHA256=F8CCD45C62E93AF8A06109D4F7908F45AAF0B48254CD64839FDB5C610FEBB791,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.499{3F28B219-14AE-63EE-D900-00000000BA02}50206100C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.499{3F28B219-14AE-63EE-D900-00000000BA02}50206100C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.499{3F28B219-14AE-63EE-D900-00000000BA02}50206100C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.499{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.499{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.483{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.483{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:47.066{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E12FF7E4F16B1B411E0F4DCAA58FABC,SHA256=8E5DB8C8AA8A3357158C2ED5DFEF9F1DE6924BB94E1CD62AE5E62A05457E485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:48.397{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850A7436A99A684A6C18CC411E705C06,SHA256=9A64103D3BC01527DD0B285E63FFE09FC110A8DEA97C3D88D84F916E0B980592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:48.153{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3906013FC7F651C75181781A52EF5531,SHA256=E31BD57973BE41F70A7A44F8D22FF8EEA2BEA4E486CD070C72AD96CF3CDA9E02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:48.203{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000119862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.873{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.348{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.340{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.336{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.333{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.324{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.316{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.313{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.303{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.297{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.294{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.292{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.289{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.283{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.269{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.262{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.254{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.246{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.239{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.230{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BF3ADACEFF983A5BAEA0E7A5D6FF92,SHA256=F32A05FCFE8A1916A0856609DD5CE1A67BC1D0F209CE1E76981BF695CC7C31AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.222{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.190{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.183{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.175{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.167{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x800000000000000088959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:49.476{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E297FD3217F99316768F418EBE4276,SHA256=81A72DBBBC7CA6B1121B04B97662AFE744F74FA75DEDEDC7C94F60CF18B1E25A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.123{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:49.120{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:50.270{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD260E4A65C37E0374E83F1C47AEF39,SHA256=0139767A260973ADA3053D9D7CC4F6EB2F912B6BC544A5E03808F7628EA454E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:50.563{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06A18395AE08FB077E640352B63DDA0,SHA256=E247E618DDF122786766FC9866B69F31B7C94463EEC3E81CD41767C677688174,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:51.925{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:51.924{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:51.922{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:51.347{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8590319FC014CFE7CA838C1E3F95DBB4,SHA256=3EB764AA6718E175330459DC4C92FC5C0C78B7738E2ABD481FADFE775DA0E984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:51.639{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DBA75BDEE920E5BF44FD2EC7A33346,SHA256=D139E7B30B5EF95B63FBD73735758F7DA2044D46CC4F6AAC6C3BDA95F0570B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:51.005{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F98DCF165B61E04E3967B09E04255AF2,SHA256=AAA7B6378E242840B6D25988DF70B677DC7B583BB2EAA8FCC6D13707F87D87B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.564{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.545{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.541{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.537{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.533{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.513{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.502{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.473{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.463{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.452{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.447{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.445{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.441{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.438{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.436{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 10341000x8000000000000000119871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.435{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x8000000000000000119870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.434{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2B8A4D7338AB816DE99F681AAACB1A,SHA256=EB9A09B988F753C6ED0E1B3DF5C7D27CB3FF1A41F4B6647CF8B674427E744B6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:52.432{3F28B219-14C1-63EE-EE00-00000000BA02}54885136C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BEDE190) 23542300x800000000000000088963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:52.724{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8D2EAB6142F8AC5E5C9DC629CEF076,SHA256=23A58C147B2559AAEBFFD69A17D3A592B335B58C25A8DF6BEFB2D480F2AF6A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:53.503{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1E81CC4D1D71A8E2B12ACBC2F68953,SHA256=99595F458E3D05D90D9C0D68F95ECC194346133A971EE58F6834BAEC266D830A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:53.800{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594DD0568E3EE45846B834424E3EB218,SHA256=69EB5CEDB731C1DCE8573F1406A8C61CBC2DFDBF5CE99CE05C14EB02C56C5315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:53.018{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=90BD0A052BC110F5D65E539E7D4B8A15,SHA256=624FE377C1C81E5BD9AD754567EE7CBA047400ECDEEFEBB5815A63A60372BA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:54.888{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB413ED9726C89F8FE4450039ED77B83,SHA256=4F95A178262D7E28144047EFF33B7397DEF7E9D9E7432A887FD2F04CE64A1A71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:53.350{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:54.826{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CCDA03E857ADE3D3E5E8B8989CC02A7C,SHA256=0D1897B892A2CBFA0C0A28D70B9CF7B954F527FD0DDAB76B7E6B97A886EB194B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:54.591{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CACC34149B38E73C63AFDC3E5D4519,SHA256=A06C7CEED76875DD141DDEE1431225FE2BF2E7DBEBAB16419650A45F6CB1A13F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:51.221{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51642-false10.0.1.12-8000- 23542300x800000000000000088967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:55.971{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F305DEB3BA926497CF337443C4C636A,SHA256=59192A5C02F3FFF691DD8F38048CC2CD07242E89FC05838C769DD48DC447BC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:55.683{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B530139345FC6E469398A42DC81A5CA,SHA256=9AFA9009AD44C98E4EDD5B31C9DDCDA06F8C68405CFD1EC8387829EF3E4716FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:56.759{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194578D642C59F9CC8E4B4705913D80C,SHA256=3665D6B4EC17928EC04E5D3D57FB00D4DC7F05738DA7E66AE84A90F20173E53C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:57.831{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565BFB1504D347E26CB130971BC7D1CB,SHA256=83968781C61F39BCF4654C49BE22571AC31AC9772A8BD0AA655ECC2425117B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:57.081{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD09D1BBBB8D2DE3491E60AA9055FC79,SHA256=34CA82F6976E821A3DE2A7045A11B22EF937B6246EB5794D49BD7450B6BCE02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:58.158{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21FA70493D020355AE993BD87FAF4FB,SHA256=5CD02D7646F8BBEA270CFCC3C9D57104829ADAD046C4D797BF132955E76D71F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:59.774{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-161MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000088970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:59.246{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD236444F7AAC3015FC786B014F1F139,SHA256=5BB7B074CBD4FF2B29097CA92C2F2F888FD5BB6AEF6739BC8AEAC0A171E70C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:59.011{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476772E72E47C6BEEA7B557DF5D3F3CC,SHA256=172FE2CFFBB3E2F2B55A8475A10F225B895BD9324F84F5A76FDDE55A3821A171,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.997{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.996{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.992{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.984{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.981{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.973{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.970{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.955{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.944{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000088986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.899{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.890{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.882{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.866{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.856{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.839{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.819{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.798{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000088978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.777{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000088977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.773{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.766{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.760{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.757{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000088973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:00.321{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1F7A5AB8FD4812EA43B0267EAA6B8A,SHA256=DDB6DDFA490AC6A80DE7834CF44E6FB6297E693A916CEF3A3BCB5459D5D0C3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:00.110{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCCBBCD2E7AA71E140546DFE1044C818,SHA256=03E7ED2D43B8D70887829A9D6B804584CDDEB5E1F80C1F134A6D978BF70A0752,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000088972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:57.151{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51643-false10.0.1.12-8000- 23542300x800000000000000089005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.747{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C272828D8BF0C0F98BDC728D296F48E,SHA256=348EC69934EE60EE9B785F8D0BCDF75FECB5E646C1734C599C11208FBABEC7D4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:11:01.862{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d94210-0x800160e7) 23542300x8000000000000000119898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:01.195{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B160C93DA88610EB87825D952C8B3AB3,SHA256=FAA4F10A33F7609F612C476BE326116D69A9FF67E5E641987163B92B718B5314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.026{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.022{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.020{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.017{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.016{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.013{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.012{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.009{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000088996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:01.001{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 354300x8000000000000000119897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:10:59.249{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:02.272{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A256E390773D1ADB722A3B404FB901,SHA256=5CD9F0881D7534DBC7487F6AF2500DCBB231F50EF71DAAA8CD201AA2D688C80D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000119906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:11:03.437{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x8000000000000000119905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:11:03.437{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9C56FEC4-DF75-4A6A-8202-93F7FB933FAC\Config SourceDWORD (0x00000001) 13241300x8000000000000000119904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:11:03.437{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9C56FEC4-DF75-4A6A-8202-93F7FB933FAC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9C56FEC4-DF75-4A6A-8202-93F7FB933FAC.XML 10341000x8000000000000000119903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:03.421{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:03.421{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:03.343{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6E8777B6CFCA53328B5CCE923CFDA1,SHA256=C39A0512DF39DB601BE59F8BDB2FF6BC371C4E76E1DB9B01B7DC929FF95D46B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:10:59.984{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51644-false10.0.1.12-8089- 23542300x800000000000000089006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:03.011{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91A98E087B91AAAA2A3D8C211F9CB8C,SHA256=7AAE12B05549C5BA7F1B76EE24A2C1AE31C18B34C9C3A3DDFACCB47D6D36B7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:04.416{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4DC5EC0795D4A1236CA4A4744A9EF0,SHA256=78933C89746C558AEE6BC2B3A1FE733CE3C4A4D3854F52F82780B9D8051B3FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:04.087{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0B8831802CA4A4818FF0A73712BBF9,SHA256=5F4A18AACBC961D56DF4B62474F00748A806776AFB409F921397A5D64E31EFD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:04.259{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:04.259{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:04.259{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.502{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD8C135D3E7BB2E2D842E034C24063D,SHA256=1DBD2DBCB043AEB704A3BF426E53A6FF73041436700A4D40DA9686766CB5F4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:05.171{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785F36932CD1C368C3E980D522CDC5F1,SHA256=0ACE1FA30B342E7FA3105AB6E94BB83390D03BD4B663F38B2963A856C0D0FDDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.299{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B05B1BCE5B96C750C7ECC8E3CC488BA,SHA256=7EB6B04FBB67D1C936FAA716FBEAABB817520A150ACB86F2CACC75194D6425EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.274{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.274{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000119917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:03.608{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:6c00:4400:c8d0:adf7:8db3:ffff-54693-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000119916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:03.608{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local54693-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000119915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:03.583{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64679-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 354300x8000000000000000119914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:03.583{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64679-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 10341000x8000000000000000119913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.098{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.098{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.098{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000119924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:06.585{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2DB881BFDD758794AEF8760638C8B8,SHA256=0A8B702113260D8755E423159355831E3091154177153CC81B5B57152BD2D492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:06.254{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22223BE257649C40DB7753B29CB7B71A,SHA256=C901BDF976E9442F3A61BFD76E33134659349CC23873CDCD468BC7DF7A97026D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:03.174{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51645-false10.0.1.12-8000- 354300x8000000000000000119923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:04.418{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64680-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:04.418{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64680-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x8000000000000000119928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:07.660{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B8C435A353B4209AD3573EBAD2ACF8,SHA256=DE82EE7E4C6FFBEDA73842020301C5985AF1FEF8BB6A5AD6BFA15984E93550D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:07.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:07.711{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:07.711{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:07.697{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:07.217{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E189D975ADA624CE9911AEFDC365FE,SHA256=2FAF11E5667E5440EC44F76AB24506859E6B957256FFC09100818C01F6F76E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.256{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64682-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.256{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64682-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000119925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:05.241{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:08.740{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B05443460D8B95EA3DB5908CCC459C,SHA256=47C30CD22235E76646C946E9E2FCCAA799A3A89F4FC85C96B7C3B1E43376916F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:08.312{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA13E2C31FE76EA13D0C70B905E77061,SHA256=1E649F6AD338A9115FE86263CAB57F3D8CBFCE7FBCEA27B0C55DBDD9FD9D983F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.981{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000119955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.780{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169FFA0866BD94E66AACC503971658E,SHA256=D7D64890B1478DDFFE19E0956F5BF1A50E6269900254570EB4DDB038E94D4368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:09.400{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407C2E70562C6EF1DDA3AAAB2DF86E5A,SHA256=44EA8678EF6D74B7AC4EACC582310853227FB724098E3D7BF2752A6F50DD1955,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.497{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.490{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.482{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.472{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.466{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.444{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.440{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.427{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.408{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.406{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.393{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.372{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.365{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.356{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.344{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.328{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.316{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.257{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.238{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.217{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.132{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:09.128{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000119958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:10.962{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF9BACE4884B17AD96C89AB1F6FDDD8,SHA256=BFAC46AE10399F81FA13403498A93A889182E4C97768128852F1DDC867FCA819,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.784{A847701F-397E-63EE-1905-00000000BB02}3761956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-397E-63EE-1905-00000000BB02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-397E-63EE-1905-00000000BB02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-397E-63EE-1905-00000000BB02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.559{A847701F-397E-63EE-1905-00000000BB02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:10.481{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3813EEE8D62BFD3B023611574FE851,SHA256=77BD031507C4A96170F0819E4126D3544C446A05D52FAC588ECBB4E1065F39B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:10.828{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.887{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=000DD26E195E7E56EA728EA1CB877A8B,SHA256=56C6F3643EDBA1FFF3FE61C41F825DB8B604E67D78BDCA725FF2F3A0243F9D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.753{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA70B02B28EDF27D9EE68C3224B6081,SHA256=CD1C26ADDD2A0B52C457B07AA199D101235C8A54C6B299E1168F249DE009CDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.753{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F774BC8321D8B43FCF9B7E53FBEE34F4,SHA256=5F721EF5AEB7B557F33369A9FBBBEDFDF39E191DBF43797C6C09774D80988747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-397F-63EE-1A05-00000000BB02}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-397F-63EE-1A05-00000000BB02}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.222{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-397F-63EE-1A05-00000000BB02}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:11.223{A847701F-397F-63EE-1A05-00000000BB02}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:12.847{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A9A5F363A3D89D7519855EF4F542AE,SHA256=21AB6B5253C411F1007E38DB34ED8C8E24BAA0532AEACC36D968AC99AF4E45B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.729{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.708{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.704{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.702{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.697{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.671{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.653{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.599{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x8000000000000000119973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:10.970{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000119972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:10.405{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000119971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.584{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.568{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.554{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.552{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.548{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.545{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.539{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.537{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.534{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x8000000000000000119962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.031{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407A9FD9C3B9E00C73E05F7AD0B117B4,SHA256=43AE869B4A32DCC6440CA9F4B70C51C4952298B65C431EC444896EF36BE3C1A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.016{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.013{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x8000000000000000119959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:12.011{3F28B219-14C1-63EE-EE00-00000000BA02}54885524C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000089050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:09.145{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51646-false10.0.1.12-8000- 23542300x800000000000000089066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.957{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A05D91CF011B29042AFB570188B28E,SHA256=B41F5A5236306B8BA7D6CDF6EACF3B16B1DF1502F2D8D732517BAF796A448C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:13.100{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E741D4791102EB71380E19080835249,SHA256=672183BFEE6D7378990B4DE68A8FCCAC93DE4B9D1EA007A75E479C2C62912375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3981-63EE-1B05-00000000BB02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3981-63EE-1B05-00000000BB02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3981-63EE-1B05-00000000BB02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.582{A847701F-3981-63EE-1B05-00000000BB02}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:13.378{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8BB76A7B773669DF3706E45B83B54664,SHA256=5C54AC846928B595C3BF335C910AA8785616C6DCF453EEDF0108DE4090B69EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:14.284{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCBECFEBBEE6DDDB88699091E082F1E,SHA256=38DA78CAAE11BB3F9FF4CBD68C342F962FA292068F570B28BB70772AB4894715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.827{A847701F-3982-63EE-1C05-00000000BB02}370432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3982-63EE-1C05-00000000BB02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3982-63EE-1C05-00000000BB02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3982-63EE-1C05-00000000BB02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.640{A847701F-3982-63EE-1C05-00000000BB02}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000119985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:15.361{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99BA592A9BA6FB5FBF7AA48D28E363F,SHA256=809CD233890AD39A67F3902CC297BCF20AF0AE59604ED21141DF28CE915E26C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.983{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3983-63EE-1E05-00000000BB02}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.979{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.978{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.977{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3983-63EE-1E05-00000000BB02}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.977{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3983-63EE-1E05-00000000BB02}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.977{A847701F-3983-63EE-1E05-00000000BB02}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000089095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.513{A847701F-3983-63EE-1D05-00000000BB02}2404668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3983-63EE-1D05-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3983-63EE-1D05-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.310{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3983-63EE-1D05-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.311{A847701F-3983-63EE-1D05-00000000BB02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:15.029{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A86FC0E2713462E0CB1E1B6F1BA295,SHA256=8F5941C809B1584B85C7DA40D8AA738B079E89B9EED32465F4CC24E556C5838F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:15.162{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-161MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:16.439{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166C9A883DF36EFE027F1D66122CBAC3,SHA256=604CA33CADD42E7F74C17E79CDC42077A4F6D5FD582F1A049421E7AB89B4D566,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:14.209{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51647-false10.0.1.12-8000- 10341000x800000000000000089110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:16.170{A847701F-3983-63EE-1E05-00000000BB02}16602548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:16.170{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E77BE8862C636D937ED76D29C12BA2A,SHA256=F9709DB2A788201A454402170DB1FD40DA07CB822A4E6FC071C0CC1F9B22035B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:16.167{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-162MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000119989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:16.262{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000119988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:17.517{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433D69B97E94ED282105F2A8881900C8,SHA256=D63DC9716CAF07D861ACBC16E6A69AF4E85BC9BC86B48EA6F0BE7EFC98CA4A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:17.286{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C304E85B55AC26E1ACFD844F6439CA,SHA256=130917D08CC84C29E469B8135B0C3B49FAED9D32B372E2CA8A9BEAA04C1C7877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.977{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3986-63EE-1F05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.976{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3986-63EE-1F05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.976{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3986-63EE-1F05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3986-63EE-1F05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3986-63EE-1F05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.770{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3986-63EE-1F05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.771{A847701F-3986-63EE-1F05-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:18.364{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874D6F3AAF6A5EA129D3FA4D338F7ABE,SHA256=7F99FCFE88CD03ECE419D89A87EFFFDFB7BEA672E3F248B59537AD04436A8D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:18.608{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B0F524E5FCA936B40250E6A3363F73,SHA256=2ACED396BE02A5DE3992573672DC7202F443314A3E2D7EAA50455B85DD6D5F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:19.889{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA0D20E195441135204C1B1A3381C914,SHA256=47E2285E6515EFB2C78F9BBFDF1ABE858C56598492E3A6A7133440FF5179887F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:19.452{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01211D338F174E63738D731D566F8AF5,SHA256=835A19D25DED7D8A5A6D5398AA898F1C87533F7A4A64703BA4E96716F56DFC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000119991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:19.671{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4EBB1482F38BC1B1498CC57CAE5DAD,SHA256=3DD2C57DC452C8EF9664429CDA7BF6AEBD536C00EEC0F08B1306DAAB148A7C08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.954{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.952{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.941{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.939{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.938{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.935{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.934{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.932{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.927{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.921{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.919{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.916{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.909{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.906{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.898{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.896{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.883{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.875{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.847{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.839{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.831{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.823{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.816{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.808{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.795{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.787{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.775{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.766{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000089133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.761{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000089132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.528{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2478BE2FB5E2621EC30FEF3A6CFCD8,SHA256=F87E89894CBF679AD1209FBF3C5DC619BA6312FCF3E8A811B7855E40EC05DB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.760{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C18C8A55CE893EE4EB5F31B710C8CF2,SHA256=9B0773A8E78FF7BDD0EA6E181E63C73641BC4E3B5803E6ED4074E6A42FCEACDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000119999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.698{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3988-63EE-9205-00000000BA02}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000119994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.698{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3988-63EE-9205-00000000BA02}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000119993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.698{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3988-63EE-9205-00000000BA02}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000119992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:20.699{3F28B219-3988-63EE-9205-00000000BA02}5936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.861{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3989-63EE-9405-00000000BA02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.861{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.861{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.861{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.861{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.861{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3989-63EE-9405-00000000BA02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.861{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3989-63EE-9405-00000000BA02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.862{3F28B219-3989-63EE-9405-00000000BA02}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.830{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6393D62BCEE73C1F33D2628A3ADA07D0,SHA256=2D8DCF4E1A337B714BD138F869797A4A0955CFC26A875FE0C3F109C381A544FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.830{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A15F35523391DF13577CAC9D5F3040F,SHA256=B2EDEBB37A67CF39E239AA962CED29B411C4632A6C63D0176086417BC2642D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.622{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B7785429DB6B79BC1AAAD33F433B940,SHA256=04EA403ECD53FF1936FF85B991790B35DC459D2B37FED43AAC199B9A04CC9B57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.193{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3989-63EE-9305-00000000BA02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.193{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.193{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.193{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.193{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.193{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3989-63EE-9305-00000000BA02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.193{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3989-63EE-9305-00000000BA02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:21.194{3F28B219-3989-63EE-9305-00000000BA02}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.984{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DA676B4736ACC57EF2838C031DCD2CAF,SHA256=74F017DDA5B0481B31CA2348E24419D083AACA72B744E1B86FBE70BB2EA9809C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:22.116{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD4075D38FDD060FAB8F00DD3C26F94,SHA256=F0D43EDA2A4947C4191C1ECEBF149A514CC771A4382F0CF488B397E4B6A90594,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-398A-63EE-9505-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-398A-63EE-9505-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-398A-63EE-9505-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.938{3F28B219-398A-63EE-9505-00000000BA02}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.054{3F28B219-3989-63EE-9405-00000000BA02}41806956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000089164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:20.159{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51648-false10.0.1.12-8000- 23542300x800000000000000089163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:23.250{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB1CBF07662D2EE6A81A6A869817570,SHA256=6192306E86E610E99107CA6D3C1DC00056B271772C3494549D5693B57016AB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:22.244{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:23.188{3F28B219-398A-63EE-9505-00000000BA02}3084300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:23.047{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED2E21BC5D95D8795D68222488F4FE3,SHA256=E9ECA1B20D7551068477EAB8ECA5A135FE1C3652F8E7E30B0243BF3463F92336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:24.334{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EE5247DEDDD3B3AAF045335E94E3CF,SHA256=C5F05AAFAE3BE4964F54F7BCABDDE6B6656C5D89BDE1F66863C9A0FEFDF18C96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:23.550{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000120055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:23.550{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64687-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000120054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.826{3F28B219-398C-63EE-9705-00000000BA02}11486292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.757{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-398C-63EE-9705-00000000BA02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.757{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-398C-63EE-9705-00000000BA02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.757{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-398C-63EE-9705-00000000BA02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.577{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-398C-63EE-9705-00000000BA02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.577{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.577{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.577{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.577{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.577{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-398C-63EE-9705-00000000BA02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.577{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-398C-63EE-9705-00000000BA02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.578{3F28B219-398C-63EE-9705-00000000BA02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.343{3F28B219-398C-63EE-9605-00000000BA02}54524440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.077{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-398C-63EE-9605-00000000BA02}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.077{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.077{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.077{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.077{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.077{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-398C-63EE-9605-00000000BA02}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.077{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-398C-63EE-9605-00000000BA02}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.078{3F28B219-398C-63EE-9605-00000000BA02}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:24.015{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270041F98C25E045D35F3F5A4A6306A9,SHA256=A4220C76E617FAE5F3533749C66C2FC0243028DFB84153F24F365CC10974D855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:25.415{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35EC42BDF0801F0DD2989A8A0BBC462,SHA256=C17CD8C2F9A0A42251B5DE17CD337A5EF501D201C1FA7480A1D5083815275D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:25.108{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE67C8EDFAD9F829C70CE9601DE23B9A,SHA256=09A4EC8531ED0C6E8FE4453F0DB4E716D721BA64D34B374B57EB07C046D8D975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:26.493{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BB8BB8A9E4CF948982EB77B7DE287B,SHA256=C6A99FD0423B30D16F510621B11CD8EBC75E7DE291698418ACA0E4AF28786BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.531{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-398E-63EE-9805-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.531{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.531{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.531{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.531{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.531{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-398E-63EE-9805-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.531{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-398E-63EE-9805-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.532{3F28B219-398E-63EE-9805-00000000BA02}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:26.188{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EB45DFBDCE511712E090B35FD5C5E8,SHA256=39D9DCDE4E9771116E073F452DA24EA00E182E379948779A877CFF67A5FEEDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:27.580{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C59D1D0CDAB5C474A78A095E4AADBB,SHA256=9EF4999255D201D9110748D517D2D9E9D6B381A548ADE9CCE9F608DA692B4730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:27.569{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7082998F6D68A8C77661040B7CA45E34,SHA256=92AF763EFC0CD0B64598C423A4E19B32F90A17ECCE9BA4671CF4EC9743BDABEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:27.277{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1427AA7B687E61DC03EAA6F500A33725,SHA256=46C0B8D3283AD1ABED2C70CDA6731551DD939E7BFDE01A41B9388E75E834D706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:28.655{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7030CEE03B8142A050FD578625068807,SHA256=6F877170D727257BA1CF70532BB8475E078E0D07EFC563327F1939D813647E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:28.361{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2CB2938E124A7C67AC91AE94ACCBC8,SHA256=038E459304B9C4951AA4EAF4A07CA51933C08DA32E611B01861295BB2F071121,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:25.226{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51649-false10.0.1.12-8000- 23542300x800000000000000089171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:29.734{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7658BC1F4E602655BF428C750B2423,SHA256=AD966809877F26DE85CB394C515DCE8D15F1430CB53436B817D7EFB363B59DD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.973{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 354300x8000000000000000120096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:28.239{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.477{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.473{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.470{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.467{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.460{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.452{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.450{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.437{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.427{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.423{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.420{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000120084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.419{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C095285C7353FF7DBD46D901CE9E00,SHA256=0D2B0EB2A9D48E13018F4E00E0970444F36AE6F2E319765DB376CB1B4C167776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.418{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.411{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.395{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.391{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.380{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.360{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.347{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.335{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.287{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.252{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.234{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.149{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:29.140{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000089172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:30.818{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500B3CC8660A862286464DAD768C9A84,SHA256=AD78A8E3D369F46B63DAEC381FAD86C1BE7BA457B527C47E6C55A0C06055C665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:30.453{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F08E04FA4439382D94868271079049,SHA256=E73DD290B4FD73C355D1E73890175D01E548D2FEA0A8636FF98D201D35D18C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:31.902{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D5E650FB8648EBA752D2DC78201A13,SHA256=B8387036400E5DEC375403EC423AEAAC1656100D2CFF73C11D65A14098ABA276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:31.546{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0B9BD0B5733448ED7282A6F2FD277E,SHA256=C8186DCF8A95289DEA7E8BAA4673CD6781BDDC28774EC6A3AF270855F02C1276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.740{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.716{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.713{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.711{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.706{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.669{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.641{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000120114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.618{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C8D9E7E97D6153654434991C657D16,SHA256=23327C6012240216BB43A81B8A1211DF46DB997C548FF53B898A3D38B3AF7FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.578{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.563{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.553{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.542{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.534{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.532{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.529{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.525{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.521{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.519{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.517{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.013{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.012{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:32.011{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000120122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:33.687{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF4F138FA6FA3C6DBBF14821C75079F,SHA256=4347EC401F1B6CB27829CA8DB33933E1172C5EFF6880984CC836A14CE0BF5523,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:31.155{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51650-false10.0.1.12-8000- 23542300x800000000000000089174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:33.001{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260794F87D5EE9DCA0060FA9340A7508,SHA256=A64FF6E18E8A9E5DA4610CACB96187E3F329A72BDACDECFDF7CCB97CFAB58675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:34.778{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68F1A420773690519FF096C7D5BCEDE,SHA256=5034DCE0581CA0F7A8282D5636345333D04B237E584DA32006B8F05CE4D44D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:34.091{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8C35157E253C46E791FF0DC35B70C1,SHA256=B7DC2A6CACCB97587D516B3759F3FBD1B45282EC6B77BA20F2BCBAB2C53A157A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:34.233{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64689-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:35.857{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE52CAC8A68EB66FC172D417ADEECB4,SHA256=04F7B996110E4C0B682A88255EB87F787A0C74139A5B6325EB67EC831359F404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:35.171{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1508C4491192B2BAFB1F5E3A9651C90F,SHA256=DFD9FD5E01C4F75D88AC0507CEAE4DD5ED14311692B3A5BE2F1E27EDCC0C7B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:36.937{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DF280B28EBDCFBB91D3DF56B2D1E5F,SHA256=83F9C80E9C9CD8EA600C34526234ECD1958F84576E2F789CFA3AF5749660BE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:36.253{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E720A2E8CE9E5B52A0FD6123B8484B7A,SHA256=0EA5B4D07B5AAAFF2EB9161A8EA61185E5072B3B0F13720C6F80F297C3497A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:37.338{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A5E2FF2C58261801AA8B417534C413,SHA256=41E27BAD20F09FFC32BBB2B7077BF8EF0241501F9A7E37081F8AF6B8E848529C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:38.407{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8E5F6CA8D0469574777FF69E7642B9,SHA256=3AEB54E47F3327AD7E95ECB5EBF34E95CD4E2290AE2A67CC78EBBCCA10EDF877,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:36.160{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51651-false10.0.1.12-8000- 23542300x8000000000000000120127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:38.029{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF2A49AF828453C71BD16E5E08E8B94,SHA256=52319C63751F2B2F32037D3D45263AFC014D1647240E0707BF4F8C43C9879693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:39.494{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D785525A96EAFBD4097E910B6F5FB878,SHA256=560CEAE2D39868EC4D9C4C6BD2D8AE86715B06BFCA935CD5AAE39CA8C86927EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:39.123{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E1930E01197347A9E0AACD12FE6D0D,SHA256=79FC30E54346C54F93481140693B37EDE6A5D7140F91094659128E916AC65FC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.972{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.968{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.963{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.960{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.959{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.954{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.951{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.950{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.947{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.942{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.941{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.936{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.927{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.925{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.916{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.913{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.892{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.882{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.840{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.831{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.823{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.815{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.802{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.794{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.778{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.771{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000089186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.762{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000089185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.751{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000089184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.748{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 23542300x800000000000000089183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:40.568{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A335B2A085E79B50A8443705693B7CB4,SHA256=DF290CAFEE69EEFC86CD535BF9B2C4B94D00CA6B1B229D8DFE17037D2B4438DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:40.210{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A7835D716B9E941EE98FAA886056C4,SHA256=789A62001C23901939F2B673D68729A14F2044400296BC2F6B1D7F98E9B470AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:41.754{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E9CAAF33191B134913734A3BFB8AA6,SHA256=AF3736E29C3B1C87844BDAAD0871C5E56AE68DB2EB705F4782F7E7597D0E7E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:41.294{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFC46D93825F5B9C0505B786C0784ED,SHA256=F925A07E50D40ADBBB78630AD79E6690C0051EB2BE13B6A3E47C0A48EF9C70D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:42.947{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5134EEC16290C81B131E0FC7B204B4,SHA256=21F7E2182F14F1791BFA1CA9F8A89A102640DC419DE728332309E2E62C1779A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:42.373{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC258EFE5FE5AE4B53518CDAFB65E1CC,SHA256=4773D140C953DE5C9AF3A3B13E81971476644BB755E52ABA6A81CDA994FC31EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:42.649{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A8F0094D85F0786D40FA9CF8C15FEDB8,SHA256=1858BC29070F5C130A44573AFBFAA1866ADD8D0A37CB71B9FE08703C124A7844,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:40.275{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:43.451{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360578F1B447006482B238608A6C5982,SHA256=0A87D54B9E26204AFE10B9DE65044E4CEB915F54FC6293671FB7316C2B7D74DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:44.531{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F4450FA5A82C7FAE538967A5DBEBA2,SHA256=A3CB5D1827D8D5E327929CE4EDA6F0793E7A5E33B105B0AAF8D3E3B3D265624E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:41.180{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51652-false10.0.1.12-8000- 23542300x800000000000000089216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:44.011{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89864B3856E952C375F66A6BBE3F1607,SHA256=9F334FA49995ACC342244CD284ADA00C4E44A413BB32555A7174E19710B9984F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:45.617{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F38C9DA8346A7FB202FF60C43C29D47,SHA256=1F21CC63BD42BED550AB732C5DDBDCC0742AFE41EFAB9D1DB8CBF5FD945888B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:45.114{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A01AC49EA5396DE64AA8840F3053762,SHA256=8D172A6B1D989893BE12EA4A791CA612C4AEEDF8655193F975CB7551FE1E322E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:46.689{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6EE5122338C54FC12048F1AC649DEF,SHA256=F209F62D01A86F57FABDCAC484B139A3DF75B538EEC68CD4A3418F2510063BD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:46.204{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EFC019DBC1F182B879205D05A5BCD0,SHA256=5127B010ADBEA976609ABF32B98E6335C25EA93C833F3171CE8B09A5E2006446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:47.783{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8A0161392E9644261D82D3FBDF46D5,SHA256=0A305C161676E09B67C56E8DB2CF90136B81F677CB26A0FB5FF2FAF9D08D9F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:47.291{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0A55DBAA4AA0F16598BB9659F54531,SHA256=4CD36F6D285A7AB7D02CF5E6192C92EF3F59C6DEB180D77D08A9745355A0C982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:48.869{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D4CC828E975E11DA096866D82DA758,SHA256=A55E4836A9FA21ED74676E1F08082FC2D589A88080478B7D348A779706C26109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:48.366{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493EA03BF3AF9C145BD7CC54093C0D7D,SHA256=1364C24C49C80D77960247CEAB6871CBC5F9C7C2CA6632D233C33EB4E7016AFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:45.313{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.922{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7DE6C82DC10774A2F7CDDC09E0C79A,SHA256=F7CB529FAA257817083C171BDCD3A0C8E717F4302B797AF11FE6E7373C83138A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:47.187{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51653-false10.0.1.12-8000- 23542300x800000000000000089222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:49.452{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90322015187A3AA70748311B522C4DCA,SHA256=4EBBEEA87066190B2A67CAE6610068433E23CE93181C84546A93441691108B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.665{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.303{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.299{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.294{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.294{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.290{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.282{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.280{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.264{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.262{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.260{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.258{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.252{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.239{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.232{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.225{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.219{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.209{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.196{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.174{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.167{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.159{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.150{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.110{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:49.108{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x800000000000000089224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:50.528{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6411575602EE23E5F9322E80C3E2B1F2,SHA256=DDCAA6B872566F2EF746DF64138561D7114A644CA70B111D74D09D6BB34DEFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:51.603{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EA41EBDE1A29046AD4FE046D4A4030,SHA256=C40D620596B15C8B5BA0411AEF9124F59F90E7DE369B05D605A6C84ED8794058,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:51.701{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:51.700{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:51.698{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000120167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:51.000{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C3ADF6BE5A388995D62D28BB3C4AE4,SHA256=E26BBEC3373955E860ECA89BB00502FEFEB01CF0355D964366AB3CDACC0EC78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:51.014{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2A2678DB700A294EE343A7FBB6EA3286,SHA256=41928506B056ABC6FFB3574E1581669A407EB21ED5AEC4E6BB919C7B64667CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:52.676{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D1C7CA8868DA11730A2826CF71B77B,SHA256=4504DEE99AA0EFD2533C6310A2A4D62DD68792EAAAFE7300604A873029754E4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.384{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.362{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.359{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.355{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.350{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.320{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.305{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.260{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.252{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.238{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.232{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.229{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.225{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.222{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.219{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.218{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 10341000x8000000000000000120172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.215{3F28B219-14C1-63EE-EE00-00000000BA02}54885568C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130803D0) 23542300x8000000000000000120171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:52.183{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBF7B19F3CF8C0A81CDF1335772C394,SHA256=445E9ADC7993CF7CCC9D808101A2F5FC7E5EF596F16FBE8D9D2714F179D68A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:53.764{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0084746A21227834588AA387773434EA,SHA256=14AFC2477FD6DF8D6ADFDCBF92ADE12EE6C2B1F1B4124E010905FBADE7DE140F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:51.331{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:53.248{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5471C27B67628055631E550D1D9505C,SHA256=A6F9CB959BF96A370AE83843C39889359B91B6D7A9E44B6582F5B85C047532A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:53.139{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=879ACBE17013D7712571498462C4111C,SHA256=FDE29601444A0BFA66DF9AA54413D22F1F391FB91DCDD6515FF0E57528DF74A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:54.865{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A098A57C91CF3B0F30B7EFFC369D4C7F,SHA256=3DF5DDACD62FF8C9333B841CA193DB9A9814598C5B23E736CD265D38C1F630E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:54.846{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D23D907946D3B13DDAE51246AB3376D2,SHA256=52B3EA01954289D696531CE9D5FD1BC8687152B77C37D4EB78D5546E6144759A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:54.322{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F5F6A626EBFD41DE0CC18DDD9279C5,SHA256=CE675169B1072D5B1327D18E0659C03154DB364F14ABBB489984C54A11FFC9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:55.937{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FDEB581D2D739EE551D723149C4ADD,SHA256=55AC4A9B0E7CD5827F1E206FB2C5336C4EAD8887C16A702078C572608DE278AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:55.409{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A731FF3DDCD1BFE5B6667A49C52B34,SHA256=E03DD1BA5BA31A7627F47B04CCDCE7DA5DD425769DBC2C0852DCA08F29303637,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:52.340{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51654-false10.0.1.12-8000- 10341000x800000000000000089232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:55.579{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:55.579{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:55.579{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:56.498{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322390A6E9461C82F0641CC9244DBEB3,SHA256=758A6330EA0052978D67DDC052EC416D86FD2CD376E90A29A2CDB40A48E44560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:57.575{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EF46FD83B458058445C87CA3D0A575,SHA256=A7BF7D70976D2EE48946782C9276AB7518FDA5B8730C57FB0043BF0342C3718B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:57.028{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE09C26B3AEE1F51464F4B36560083B,SHA256=63694EDAB140EA4228A0E984788B3443414FD4727BD82174325A355629B2A812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:58.653{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE8BB0952DB75B1C24676015C923D90,SHA256=60F5170F4146BD486E492683A0A3FF24B31F146B0092708F23D50075FAF09DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:58.108{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0727BAC7782720C674F4820031D7B79A,SHA256=C8AA2F37090B3B4D9593073C206A3EBF4C64DD3AFA1844385FDB044448FEAAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:57.292{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:11:59.710{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3661114A5FC5D8434B7568D3075E08,SHA256=CF7A438826BA52EC0DE41EDE1B36946FB110C2B3AB40CDA6363A4538DD60F44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:59.198{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC033A73CE9D804FE4F6B22DC86275F,SHA256=09F02D684987D974338E25439DBE3134B12A69D468BD84BE983143394D27CEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:00.782{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07EA8A6E4569827A4D715CCE2B615F5,SHA256=8E002A5E586B561216C4E6044E0B4FE448EB6A8DF914830E455EB20BE48B9C24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.998{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.995{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.993{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.991{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.990{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.988{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.987{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.985{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.983{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.980{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.978{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.975{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.963{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.961{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.953{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.950{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.937{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.928{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 23542300x800000000000000089251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.919{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:11:58.112{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51655-false10.0.1.12-8000- 10341000x800000000000000089249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.872{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.863{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.851{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.843{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.830{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.814{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.804{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.798{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.791{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.773{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.754{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000089238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.283{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97C5FFB310A57274397D64DB5CDED29,SHA256=B3D3479D6AB886D54E23BA93E9D6BB148336A5441462D56A61802B6A1C6A3C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:01.874{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF44744C6285C0653248CB1213E2C0C,SHA256=A5911AFA561E5CAEDF424B23B3FEEA9C00D61361A1699235367EDEA1F0D33A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:01.455{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A138519FB10ABF4F1E49185F650FF506,SHA256=8B514ABE0C02341B0A24C41D3306E079F4BE08358F17767FFCD195C978F07AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:01.293{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-162MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:02.952{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1A8FDF5E46AEA570122266E15A22B2,SHA256=6C183805D8CA5C62C45C91D27DBDB9855FADE542193BC62B10C09CFCA606B2D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:00.006{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51656-false10.0.1.12-8089- 23542300x800000000000000089273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:02.349{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A11F6B7B1B8E1F7351040693F11A5F,SHA256=7931576A354E0673DEEAB98610F2350EB84E9941990DBE5EEE9AB83C61514618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:02.293{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:03.425{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCFA4554690C7DD6055A3DA6FD3CAF9,SHA256=C20C700CC043CF883DEF5154788C7D7553B039AEDF7BFBD904AAFA4CFAE7A1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:04.496{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E69ADD2676EB80D7093678993C808E,SHA256=C7E8A88A9BBD276DCB8482B59056F279FD252AF0F21A7F5DE48979384A8412E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:04.083{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A12405D17A0C1B5F9328B8BCA81A2C,SHA256=75D57BBEF2AC637397F612455FAEB10B875CE47D5F757AC29D045C28239CCDBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:03.197{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51657-false10.0.1.12-8000- 23542300x800000000000000089277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:05.568{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C1BB57983535E0CF6AD8E0D00BAAA3,SHA256=C92C917B5B5263341CFBA4EDA6F4B3D8053F17CDCCACB5766D69377C337DE998,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.699{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:03.221{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.183{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2501541CEC31735AF4EAEDAD934423,SHA256=35B5865C93CAB6ADFA35DB81F78133A66237C0CA28983567F1DC54EFD76A9EFB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000120204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:12:05.182{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d94210-0xa5bf5817) 23542300x8000000000000000120246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:06.720{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EDF500847D6D0E26ED51438F6A9D1D,SHA256=264F1573854D686B561EAB6FDA75B1FA867FAA27A9CA10D1551DF00735D49F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:06.627{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D8A8FD4A6F74D88CECF3405CFFCC6A,SHA256=61718137A13D8D6352EC455A5210814C98F5E57A13F98499CF6C36E4472EE573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:07.699{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A3ED63740F8106FB0265050CDFDEFB,SHA256=3D6FD8062DBE96D807A44F055783FB6869566BCCA0FF9B476C3A20E5D68E698A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:07.698{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:07.820{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C223007B8D981A502F0205DE94BA43A1,SHA256=F468C9BB6C90B584C82E7F1994E13910572D4D71BB19B4814609F91D529362A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:05.294{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x800000000000000089282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:08.780{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF7602306D19F76E8799C27855B5F1,SHA256=D9FFEB7DDD528D88EEC02A02808178778AE78E79BC0F3D7D206AA4D6AC556788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:08.790{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87E277442348ACE976BB9BB6186E474,SHA256=E869A6CA55FF8BD16B61314508D3CC4DE69377143E310794F3C28915C603D8D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.977{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.821{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3F07E650BF0F6DB6596EF7231BB51,SHA256=94F9402D96D895A86571E6B05CF42FD3D8055C3CE533F60539194B64DED27436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:09.867{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A9B01B73655990AEC9D4A150EA17DC,SHA256=2948BBCDF9273C4F228A512A129E87AEDFEFC27F04F22AA175275C174807A8B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.462{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.456{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.453{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.446{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.438{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.424{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.421{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.399{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.384{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.381{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.379{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.374{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.366{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.343{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.337{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.329{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.317{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.298{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.282{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.235{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.222{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.201{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.179{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.118{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.114{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:10.908{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D70ACB68DB1670CAE33657397EAE4C4,SHA256=0A84C6F22FB6E9087B887EBCB55AA57042633F24FABF8C4F284EE6EEB9BBBCFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:10.877{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.937{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E8DF78EE35E23C0349A28288B3AF51,SHA256=E1503FAE0ED3841793D9A3322803E25047FB2BAB460362395A626686026D3046,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:09.193{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000089297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.692{A847701F-39BA-63EE-2005-00000000BB02}23323672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39BA-63EE-2005-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-39BA-63EE-2005-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.551{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39BA-63EE-2005-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:10.552{A847701F-39BA-63EE-2005-00000000BB02}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:11.976{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726C67C8C28D583CA5DB90C994768DBE,SHA256=1EE8EB5024B18431563254E86F49608054D8C4A1742B6B91E43827B6CAB492AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:09.167{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51658-false10.0.1.12-8000- 23542300x800000000000000089313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.860{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68EA3242B472DAB15721EA51CF1FE366,SHA256=72F8F7A2DED6BF675CCA950DE212AACA677AA28F5E4935D40E1E5A16069FFEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.258{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A54998BAC3D3B731F113BDE204751BD2,SHA256=A21F09883C797E6C66E5332C5B34E3CB11C5A8CEA7D090B98A76E8F9D984518F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.224{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39BB-63EE-2105-00000000BB02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.223{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.223{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.222{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-39BB-63EE-2105-00000000BB02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.221{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39BB-63EE-2105-00000000BB02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:11.221{A847701F-39BB-63EE-2105-00000000BB02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.693{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.678{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.677{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.672{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.661{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.635{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 354300x8000000000000000120295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:11.010{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000120294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.620{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.579{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.568{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.552{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.546{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.544{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.541{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.538{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.535{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.535{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.532{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.025{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.024{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:12.023{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000089316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:12.887{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6FAE770B2AC97507E98148AC56125EA8,SHA256=C618B7FC1BA017F57307BC16C06AE1871E61BE58AB0ED27895C1570246D1265F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:12.026{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A4C5B0025B12179B0FF15245449CFE,SHA256=2610AFC66D446B90725EF8C59CC5082FA4F5C8AF6043A968AC5CEA417F948B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:13.057{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69065877524F76DF648C2856A4BF933F,SHA256=5B66C6D4A03417D63FF2E62DD1ECE1B61BC470C911D635FE50DDD849B9188AEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39BD-63EE-2205-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-39BD-63EE-2205-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.593{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39BD-63EE-2205-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.594{A847701F-39BD-63EE-2205-00000000BB02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:13.115{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A8B392E8860A12E78A2446BB0FBAA9,SHA256=8D1E26B1F6AC0DDC3301882EB7DE8AB673B617F3B610AC9F50531CA11199E2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:14.136{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FBB188E26913A4BAB25BCEC00112C5,SHA256=B75A7A0A7C12D2015BB52010161D90DA0F10CA1404207B5AF3A0EAC75DBF2413,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.880{A847701F-39BE-63EE-2305-00000000BB02}38723656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39BE-63EE-2305-00000000BB02}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-39BE-63EE-2305-00000000BB02}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.645{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39BE-63EE-2305-00000000BB02}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.646{A847701F-39BE-63EE-2305-00000000BB02}3872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.203{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8FA2006FC48B8D0EF02FC06275F636,SHA256=7293A02547505DAF15072D14DF594C4494A60862D69D3F9A04BF288929193F77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:14.341{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:15.245{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B09F1C120AAC2B17A59A436FDE269E9,SHA256=937F20CBA4146067E45267F39829F3F0EC6CCE40D91DE16284BDBD6E73E0ACD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39BF-63EE-2505-00000000BB02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-39BF-63EE-2505-00000000BB02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.820{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39BF-63EE-2505-00000000BB02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.821{A847701F-39BF-63EE-2505-00000000BB02}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000089360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.544{A847701F-39BF-63EE-2405-00000000BB02}22281464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39BF-63EE-2405-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-39BF-63EE-2405-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.325{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39BF-63EE-2405-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.326{A847701F-39BF-63EE-2405-00000000BB02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:15.310{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA24A1415138DA16CDBCDBC330B8388D,SHA256=D4ED63F91DA6B2D9322E7294032C0C0448DAF30BFB125E418F42C1BC02556A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:16.685{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-162MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:16.339{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7516A8FAC01F951E2395F6268E6C297,SHA256=C692506E9E0964077967E11923AF27A57BB377BD118EA8652F6BC75C8002533F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:16.556{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EA7A4454724275A327F2B48090938F,SHA256=CF9C1DBB00395754FC7C244B592FF52E9642D6CFA620DB9C4E1D4982BDFED379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:16.011{A847701F-39BF-63EE-2505-00000000BB02}3048904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:17.692{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-163MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:17.400{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF500140C91C371806E056309DFAC418,SHA256=BC9101E2DB600B561E72EE983C5218105076D63B3896443C0D62D1564DF41776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:17.576{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BEF016717CE0DDC504DDE0C899035D,SHA256=939C5DC055DC317CDF0682247707381C57C2F779711CF34BFA2F3F88AA4C3100,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:14.288{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51659-false10.0.1.12-8000- 10341000x800000000000000089391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39C2-63EE-2605-00000000BB02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-39C2-63EE-2605-00000000BB02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.785{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39C2-63EE-2605-00000000BB02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.786{A847701F-39C2-63EE-2605-00000000BB02}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:18.645{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48C1770D26E4AA675C014E4436BD9E8,SHA256=AF166BADD5CFEBD24F3B1C73572D2405F24D5DEB15C6E9C810370B954CCD3FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:18.463{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC25BD8CA173356796A6B4E868B8DB3,SHA256=C865B4B9B3E0977ADF163CD4FCBA0600DB1B41D6F957DEE0D697D27ACF870196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:19.747{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16C85E90E226DF058658D43E38C9461,SHA256=F9E9BACD4D24B52ACC5077FC543A582E5B8E19B4D78E1FD5D6C9A104D9213AD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:19.550{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81104A6984D85C7B47D6A96A144358A6,SHA256=0CB35A81636517E1472764E64ED8AD3D1B75CB60DA4083341BB3B8E772DC9F41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.929{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.926{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.924{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.921{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.920{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.916{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.914{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.910{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.908{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.905{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.904{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.901{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.892{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.889{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.881{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.879{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.856{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.847{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 23542300x800000000000000089405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.821{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D087E62B4D79D1CA1B3F3E454EEC859E,SHA256=1317AB9A74344E9F9183CEC21960436B166F54C3125261D5AE70CE657393707C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.809{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.803{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.796{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.791{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.784{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.779{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.772{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.761{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.754{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x8000000000000000120322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.942{3F28B219-39C4-63EE-9905-00000000BA02}20205104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:19.395{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64698-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.698{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-39C4-63EE-9905-00000000BA02}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.698{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-39C4-63EE-9905-00000000BA02}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.698{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-39C4-63EE-9905-00000000BA02}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.699{3F28B219-39C4-63EE-9905-00000000BA02}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:20.635{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CC76D856B8BDDD68BF8B7C17318C7E,SHA256=1D01E00BD34D308A39180AB3FD9CE5102665F70B12BCCA92636AA7CF60056D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.744{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 10341000x800000000000000089394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.742{A847701F-1281-63EE-1E00-00000000BB02}19762964C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013F04190) 23542300x800000000000000089393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.038{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68F23FD637EDC6E0408CAC5EF4034509,SHA256=F9160618DBA90DD0469EBCD197CB9E46BD9EB7F6E615ABE65160FCA1D845E973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.833{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA898DEF198DFF48F0DBACA957759943,SHA256=7ECF225582792B934D640D12C1270B9A2ED778B161F89A4D706596A23652A540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.712{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3A1D5CE71ED6798EC069FBB39CBD27,SHA256=43FB8D7D4846A9EA132FA6C3124F80DF8D0A3D77C0EF290CBC5D8DF6CC70DF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.697{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-39C5-63EE-9B05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.697{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.697{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.697{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.697{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.697{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-39C5-63EE-9B05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.697{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-39C5-63EE-9B05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.698{3F28B219-39C5-63EE-9B05-00000000BA02}8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.196{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-39C5-63EE-9A05-00000000BA02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.196{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.196{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.196{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.196{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.196{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-39C5-63EE-9A05-00000000BA02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.196{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-39C5-63EE-9A05-00000000BA02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.197{3F28B219-39C5-63EE-9A05-00000000BA02}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:21.165{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6BAEE3899BCBF26B1150662B71CCAA32,SHA256=2F782ABA8474D094D3E12C817059EE7FC5F86D347DBB6BB7769912D9557F7B5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.937{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.937{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.937{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.938{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:22.804{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98B45DF7F16D279B637FA431E8F957E,SHA256=4A0FE20D4BB0C93B6821C5002A89D146062AE432D40083A6A3A5BC72CC5CD181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:22.306{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7469B81691B641EC2D99B1142405CB4,SHA256=3F11B0F0936CD2D87FC5553A111C5268BA004B38B9BDA61757C08D040D471DCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.932{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-39C7-63EE-9D05-00000000BA02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.932{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.932{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.932{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.932{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.932{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-39C7-63EE-9D05-00000000BA02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.932{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-39C7-63EE-9D05-00000000BA02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.933{3F28B219-39C7-63EE-9D05-00000000BA02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.885{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B447547C683D8224D666556C5CA723,SHA256=3FDF9293C796C7A3E9547C5A1F82F991AB4836977A6A22F3583DFE26736E23F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:23.409{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FB59CBB054F9D719897820C9103247,SHA256=82F61519FFB60747B7892D6A6117CF2B40EA89D584C1207C952DEEF1408E2D1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:20.216{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51660-false10.0.1.12-8000- 23542300x8000000000000000120358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.274{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6C130EE48BD1EEB0F5EC924DF925561F,SHA256=1D3D703F17125B36ED55C4FFC44EDBC55B8B8284BB39AEF33F19F38044FFB19D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.119{3F28B219-39C6-63EE-9C05-00000000BA02}1168416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.099{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.099{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.099{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.097{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.097{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.097{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C6-63EE-9C05-00000000BA02}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000120383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.957{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5E7C1831642F067DD63B705E2B0D97,SHA256=8F6D55B4AC71211128E7153F574B10961B66F381AB97D698C13833684A318253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:24.395{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315181DD968D4716FB36320A75C632A1,SHA256=77820B22EEBEAF165DE6C6A855F3B23B5BEAD14DD1D813DD40913A513711C0FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.848{3F28B219-39C8-63EE-9E05-00000000BA02}67643680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.557{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64699-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000120380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:23.557{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64699-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000120379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.602{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-39C8-63EE-9E05-00000000BA02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.602{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.602{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.602{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.602{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.602{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-39C8-63EE-9E05-00000000BA02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.602{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-39C8-63EE-9E05-00000000BA02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.603{3F28B219-39C8-63EE-9E05-00000000BA02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.140{3F28B219-39C7-63EE-9D05-00000000BA02}55084136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.115{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C7-63EE-9D05-00000000BA02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.115{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C7-63EE-9D05-00000000BA02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:24.115{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-39C7-63EE-9D05-00000000BA02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000089428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:25.498{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3621F1FE4E690216DD869A283308C34A,SHA256=D0F854F85E4C0DB8B7E7CF4C5D9300C9EB2A3CF63C9C6C9D0C20D6C3A3564DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:26.570{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46D639C601E6D2994D0EFEB07BEB590,SHA256=CA5CC346A38A7B49967C50744D0044194489AF8C5DDAFECCF687CEBB713CE8E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:25.384{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.549{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-39CA-63EE-9F05-00000000BA02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.549{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.549{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.549{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.549{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.549{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-39CA-63EE-9F05-00000000BA02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.549{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-39CA-63EE-9F05-00000000BA02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.550{3F28B219-39CA-63EE-9F05-00000000BA02}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:26.057{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1600E8D844DBF20F08F6451C7573DF6F,SHA256=04ECCE154FB5D5B7F8248594D8F8A0B62F16673AA87AB98E59441F527D8DB399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:27.660{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDB8D9674E6E069547F3F841E8C3658,SHA256=376A1EF483668D89EC7E68F5BB8986B4DBA590D88BBB1619715D4CA8F9AF2B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:27.685{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5C9D43928519CF6EE12E4E302C5D773,SHA256=6FFCA9243C83AB16E39FA16F9D4B698344ED6064DCDC28D187F5973F64CA3FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:27.160{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F359A02047FBDFD0157FC731AFEEDC8,SHA256=FEFC81A9BC6411A18580EDFE762328702C4B6E8C5B5C9EB146913B745F61A3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:28.740{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083BA94ACFBBDFA4177316994349298E,SHA256=6151A825D4114F14675FB0703A5578EC1D5B344DD35EC8E41CFC18F9458B07A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:28.229{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80AB014C1E4AF069DFCA9B845E44E05,SHA256=A6E88580116FEF81B011485C714D1794F57F80D280DA2938C6CC6F017DA3C728,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:25.260{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51661-false10.0.1.12-8000- 23542300x800000000000000089433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:29.825{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82C721C2875B65549C5FF4051120FEE,SHA256=6A66ACF6854F5254AEC9BF70981E03A9EDA08DB085E820A6DD6D6159662809D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.933{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.469{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.462{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.461{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.457{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.448{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.439{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.435{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.423{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.411{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.407{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.405{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.402{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.394{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.374{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.364{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.354{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.341{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.325{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.307{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x8000000000000000120403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.291{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E8B313D6C1A8911DCD19F17DCFC616,SHA256=249D8ED4F941BAE4CF5C11FB60AEFC3265548D605E0F08BF01C3F25DD4536BF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.263{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.252{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.235{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.215{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.134{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:29.132{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000089434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:30.900{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991FA9117BFCD3AE251E6AF9121D5415,SHA256=6797F10DB39B2BF7099858729805F0F7326EC0BAF77774CEB401773AE7EED73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:30.329{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD8F214641CE285B424D8952CA2D18D,SHA256=28E1310A607D3E32F0EB5118326F256E88FA11E974A5FB29BC9FB156454A0618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:31.973{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FEB38D1C285F1C470D74746B3339F4C,SHA256=2252C8C784B4582994CBBAD8C3B9467E4B7E34C2F7303663EAA957A0B356C394,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:31.973{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:31.972{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:31.969{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x8000000000000000120425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:31.422{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA85E3177D7CDA4C6C5249546DD51BCE,SHA256=88844C456DF32975D475709D069D88C926602307AD0572A82DA4B80E84C9B13F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:31.254{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.649{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.636{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.635{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.632{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.626{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.599{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.575{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.575{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.575{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.574{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.556{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.529{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.519{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.507{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.502{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.500{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.497{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.494{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x8000000000000000120432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.493{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD39C45C1F16CAC939157A0FC0FEFA54,SHA256=5588A8E293BFBE779557BA09BE7B70DF665E3454E633300D5176CB915C50E12D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.490{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.489{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:32.486{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x8000000000000000120452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:33.577{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC514EAA618BE63FB402D8AA1B17E526,SHA256=1D6D9F7C3E7A8111F74EA64CA31D2E9B15EA42B90C514E16412766EB86A5B4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:33.040{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380A162E0C3E5A626BDAAA283BAE1927,SHA256=6B6C60585A86CA3411E69A3FDE83E9714F1D76C630BAF456B48BB8F9A256F1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:34.663{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBED9C6C3F9E5377B1CD96CFDCA42C58,SHA256=AF2B9BCF68802B1378A2C364CF99A4C036F7D69AF93AC14F1BF43BA910F76D6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:31.184{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51662-false10.0.1.12-8000- 23542300x800000000000000089437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:34.102{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714DCBB472E9FE7470A9C6DD9B4663FD,SHA256=95F203A8BA688E27E29EC0B24420982B1A029F4C8D2FDE7352E4C334B817808B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:35.748{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C53C94834EAB3C2540ABB4122CF917,SHA256=7C559EAB933D50CE549AA4665CBF12463F4E5A0FF14FF0EFBDA61C4CD5DB1F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:35.183{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A599D9F6B46F92B772983954C217DB,SHA256=7F82ABAFF9A138AB9BE3DDA0BA93EE0155941689E9D7034851A5F32C5F7AED8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:36.833{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F74D2CBF20E9B7E58A5299F3CE1334,SHA256=0A5CEFC0863150DBEBC7355579146BDE8308FFC8143E9BB1E96DD4A96B3D8526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:36.248{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD0D6FBAD06CB3E369EE44960B50FCA,SHA256=E0E610BDF9D141F14BAA265E839F90CBF4453BCFB04D67711D87DD67338E3EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:37.906{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03621D5138F1276A385BF734380C8F46,SHA256=A370AA6C0A1C769872A3931882E47C421690A3CCD9B675AB7D382A6802D820F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:37.312{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1A8D0EEBD6DBAE835E618C0CED1276,SHA256=3D1FC6C12FB57BCF1AB1E5943B14584AD22E5F73A138E5B99CED9EF071D07572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:38.978{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E4723C234D21391034B530030AF721,SHA256=CA663BB519ACF5E46A98625C1AE332263F92ED9B98ED392DA1B1E9C218A12F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:38.384{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E308C4BAEBBA8A2D426E0DF7D59BDD,SHA256=9772FE0533A15EA3316CA9FA3C6C40F22FF8332FBAB6AD6F4488387093A902E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:36.306{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000089444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:37.173{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51663-false10.0.1.12-8000- 23542300x800000000000000089443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:39.471{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1756209B3E1B3CD37519A217B45FDDE,SHA256=E889A1364665BB7EA551E1928746CCE64757EE2D4A230A68AAA039A2B937382B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.957{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.955{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.949{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.946{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.945{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.942{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.941{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.938{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.937{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.932{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.930{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.922{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.913{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.910{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.902{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.898{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.881{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.867{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.838{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.828{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.821{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.813{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.805{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.798{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.790{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.779{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.770{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.757{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.750{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000089445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:40.550{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2C8184EC21FC0B706B816C1471EC17,SHA256=FCFCDA877CB1F6AD60D1775A3DC5A26F36E8F275D7FB6C20CF714A00FED4CC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:40.075{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7C72BAF0E27333BBD1CB4D42D2886F,SHA256=7C835CA51AB4E8C0960B63A8E288F26ECE59DF6CD223A9F21B4971725080BF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:41.924{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159BD741566CF1E555C5D11DCBC16584,SHA256=5DBD55C38647EBDA058BCD6A4D140ACA7C60A2E66A4BE7488A49C15CF338B134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:41.168{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF13064EE58EDB522CFF48D0465D900,SHA256=8E20B164D55F2148EAF121C6953A821A15854B30768485A7E18496244B6B0760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:42.946{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287F123AD7045AB798F1E87D7AC4EBD9,SHA256=2539F41B5F3EB7B0F4811684A88E47C68CFB06E88A34DEF856500B26C836BF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:42.242{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDAA8287E913619BAEBC6CDCF4D2BDA,SHA256=6AB622F167DEDBE3D8BFAE1C52CE419BBFFD4E77E54ED499F1615D64FC55C421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:43.320{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF29CAE9D6378061185FB9131E621CC,SHA256=DF93644D0A49F143D88D21EC288B151F0FDB4EF9990044EE77726352E5CF534F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:43.101{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F0C2CFD2F2A541438787F5E98805565E,SHA256=36DDE87A87BABC94666AB0B47AC3DD8182AFB7986821839072CF9C175318D4B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:44.422{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F89DA2AD29984700D00AD5441171BD,SHA256=FF7531E800B41E4FEACDD1857973F49789B544F2A37F87A1EC72C0E42F810067,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:42.297{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51664-false10.0.1.12-8000- 23542300x800000000000000089478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:44.036{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE76D7A4D66ACE8D97B0FF01C541484,SHA256=B9A9DE8C3177A3E34325BD391B83722D3D22AAA7D3C274563E9A27873A5001CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:42.290{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64703-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:45.506{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314328E4CF31576963B21693840F6525,SHA256=44AEF847F2ECFBF500C00CF21ED28A4DC76F95D5CBA47093A971BD48960D11DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:45.134{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75949C636484D825B20D0CC07FE24763,SHA256=7F125F980311DFF56D388B3EA2E96ECFE99CF78ABCFA337168BF9E43B2A01295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:46.583{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A4E8D955A9EF8782DB7D5CD5FA0BC4,SHA256=AFC47DA9FAB2A7AFB835070C5C2FABECFBA86E53A443FB6D0ED7037654395E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:46.213{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF15F820F6BD6387F0B9E0454040C02,SHA256=AAAA16851E65857046961A2C8101CDCAE2A2E9DA7D86D2B0A598ED74D646E102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:47.660{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBD51BE0FFBD5BFEBE0BB9D688DB47C,SHA256=F8BCF008E49CF7B03A573114A14D26300E1995D4AABE8D15545EC1F7A0CA8B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:47.300{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6EE5E15BED9D3F03A16129C12D8B9C,SHA256=C8BE211C0E9A405FA56EA2C566FB6866F488A20D9CBD50EC86C90DABBBBB4DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:48.762{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9082790F52FE74E75E4199717AAF5AB5,SHA256=B4DE42E0F914292614D311182201A6DD2A56D36B4F92D51185A1856736BAFA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:48.385{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A7238B4DF6520BFE195866BC7E3FEE,SHA256=B935AFAB92D255284C3FB20AF51A819398DFF3A90A6A33DE1E2E399891963474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.819{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDE1202FA744565F741115DD70035AF,SHA256=60F343495F74A31E83E7A5BD5AD502572F350332B5A407B2F54A8921FDAD0398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:49.470{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC827AF63EF6F6FB6CA3E2548E6BFEA2,SHA256=99FB28F36A53643B6CAF3E7B3C21D5A032E7EEB0376343E0E772DA6FE8833E08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.478{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.473{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.470{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.458{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.444{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.432{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.428{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.412{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.399{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.396{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.394{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.391{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.373{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.335{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.326{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.305{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.283{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.272{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.260{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.225{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.212{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.204{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.185{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.120{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:49.117{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x8000000000000000120497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:50.984{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BC04157223C6564876DDA5F9BA57FF,SHA256=EB9C2A06B076EAF25EC0E34F5B1055FDBA9D0CD047EC29C69F0B4D75731FB223,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:48.291{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51665-false10.0.1.12-8000- 23542300x800000000000000089485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:50.552{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465BD2A541D31D8006DF389FF48C352B,SHA256=A4EAF50CFC0EAF7488CCE841D801CC2C3C54B0CB6396D7C98F2711EF368A723C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:48.234{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:50.279{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x800000000000000089488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:51.653{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52A958542D5CE0F80D2074313C290EC,SHA256=616FC22B02D3BD6DB9FA515E7554B1E786FF1C2F1EEAB17361F0ED74729F1A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:51.024{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=77FD66FD319167ED2CCABF20747E4212,SHA256=0567A34B0E11E8A72772827ACC25FCC95466FDD77FC87F209F0E855306A0A260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:52.835{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41D580444B6961C4803DD1B953C1E60,SHA256=8A8BB3B88E0B6CE8CBAF00E7794A88545E7FED6282E99EB8D09CD8F3C5A9D860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.971{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.958{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.957{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.955{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.952{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.930{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.910{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.867{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.857{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.844{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.835{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.832{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.828{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.823{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.820{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.818{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.815{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.310{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.309{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000120499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.307{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x8000000000000000120498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:52.063{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28761C46566FD41A8F7B629825D835F8,SHA256=3D33DDAAA168A34BDF00872F9D841110CA143CAA39A01683FA8951F6A06BABC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:53.919{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8D8753D70795C31A1E250AF21415DF,SHA256=B89CC0771C8F82E52605B0AEFB6C259DAF232FE84088D1C4E3033C1876640A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:53.470{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=599EE68C1C50C04D39189EC3C9F0ADCE,SHA256=DC32BAD639B745980DBE7CD526F862BD8F1D6688B178D47406BC380A148764A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:53.126{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCC0E380F9D2681F8CB0020791F43C3,SHA256=EF7C6AE495080E468E31882B8BF13BA43438B308AA8FF3E91960AED2A0DC3BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:54.858{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DC722A818A22D635AAA297380F62F555,SHA256=48F42A170D968ACFA3D95AC047E2498B600DF59B8A6F3184AB15749CB00EC90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:54.202{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D06EB178358156DF62EFA80BD77180D,SHA256=5AC5EA700A5B3F37207D830A66F741487EC1B7A0CFED11AEA83982506845E1D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:53.378{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:55.298{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD10964DA79B50ADA01F2FB3CE285CE,SHA256=10D2468DA7670B0D7974506297E8914E5835A6DF72178CA198BCF850C8CAE631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:55.006{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16952E311A9F2B312237A531EF691E7A,SHA256=EF75AD87B974653908EFECF505DC00873F936B48C0FED50A684719254139AE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:56.391{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C04B2BCCD1917F48D90276C0B50585,SHA256=ED6168F67BD39C117D21EEC572286A63081A2F9BC4731B1E92A342E4DB21ECF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:56.096{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C8BB0B5B27979BEE492612055C1ADA,SHA256=20B4B1179FE8DA5D324C6A1E1429BD2F601598763306BCD7D201D2EA9A188310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:57.463{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F9C343B2938C48E8643935C2A7DA30,SHA256=91A4C3B3ADCCD721E76D2733F58A8C1301211F2CE7C8DCD248BE0293D4F77F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:57.177{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6487B006AF833B3977A6F1BC95D0DE40,SHA256=83DE40EA0F77CAC08F972E561242681FDF6298A53751BD18797A919D722B200C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:54.296{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51666-false10.0.1.12-8000- 23542300x8000000000000000120527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:58.548{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AE0859E0A37224FD3B9EBF7B7EE3D7,SHA256=AE4275BC0DA1473EC9E6108F0AF9E4B0BEEAFBD48C7C67DCF60CC9E58A2227C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:58.257{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9882839F3A0A56082B3E894EA8A92B59,SHA256=7B115111012278BED155AFFE245595DDED4C352D35A70459B57CE2CF7C259339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:59.627{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D0A8607CB05DA95162627798BC34AA,SHA256=A2FB702F08E9EFD38BA134E3D193412637E5E3F6C32C0D6ECE68CBDABD627FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:12:59.349{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A165DA0CCF00C1AE404FFE8338D119,SHA256=FF2CF6BB3F2631DF426FD8ADC6B5FDFA836E9B303EB14D42DB64C27A8016FAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:00.801{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6E80B1D5F973C262E7A9AF91E7AEA7,SHA256=4DDC9FBC428C9926204937C7E3FD144A5B5F68D42BF31AE1D9891C92506562B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.950{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.947{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.945{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.943{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.943{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.940{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000089521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.940{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.939{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.938{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.936{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.933{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.931{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.928{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.918{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.910{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.902{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.899{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.885{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.878{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.847{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.837{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.825{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.805{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.795{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.783{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.771{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.765{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.763{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.759{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000089498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.756{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000089497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.433{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28CDB8B5890D6361BED222970996987,SHA256=99C8B765557E1C147FDECA1AD6C0910504CA66326C886373F26840FB32F2AB74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:12:59.395{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:01.905{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1C65D5D2758C9494393963F1DEB08F,SHA256=CE2EE7EFEC25CF17FE645274ED5D1E0F47C27F8D77BA9BB59E8847A5AA75F6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:01.603{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65233CB55977A95CBA95D6D44651F72,SHA256=45DA5D706FE6CE5F75B92F94003D1F6F8740A01AA46341D74CF7D57ECCFF1A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:02.984{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D07E57230E2155E540DAC77B137801D,SHA256=66C33B09BD51D64B589A920767D3B8B71B54EF839519998611234474624536AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:02.818{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-163MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:02.679{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B897AA6CED5060F0BA93672C6949CD,SHA256=28A1C045D1FF860FC270387CA20D5E6A828B5ABFE7070ABA1861A1D96482FF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:03.815{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:03.772{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B08E557103F7DAE75390985932EEF5A,SHA256=81E66DEDCFF7C2E319360DE146A666F5553D88A07D6CF64D1E9FC8C439519390,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.267{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51668-false10.0.1.12-8000- 354300x800000000000000089531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:00.023{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51667-false10.0.1.12-8089- 23542300x800000000000000089535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:04.857{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28A5AF78A61273FD95B682018C10730,SHA256=1C9B46088DBF39F052715E6431697DB1F390E66E111E0FA1123912C9D1DC43FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:04.074{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC296819470680ABFA7299793BDAB9F8,SHA256=AF736E488AAAA6756B1BD05331A9AA39C5A2EEE4528A0657A267056F77D4455C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:05.972{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22B87176C0B137A50D831D4B4B6909D,SHA256=911ADD2AAB048B235D34BC9E0AB998E9812C5ACC27F8A992F9B327C1B86252B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:05.158{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B948B99E37B5526460571C3CE7FD001B,SHA256=B1A358714B084F0405708645E595D7264FC6BD8491922738F8732AE5D208EF0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:05.269{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:06.251{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCFD900F2237A03BF03EC56BAFD4BA0,SHA256=0ABCCF66689BC0CE6ADD29E5A6B9E2014DD0AA5E19B10C03AF235D648B1526B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:07.340{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0663E8B7679CAA26F753A725AEB24C95,SHA256=E334A29569497D65680AFAD6B686E64B48263910DCCEEF62F4BEA2C931758E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:07.715{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:07.715{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:07.715{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:07.699{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:07.035{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1846E1335908969F25E4509DCCB81FAE,SHA256=4A7583D3D1B183A998E82A35C615F2000466B6DF00DAF8C993178C440AA94A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:08.410{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB36D6672DD82DE0B22E6D0B751A91AE,SHA256=F272781EA185CD5D1A29E731AF9D709AFF21265166E3B87367A22D5EFF6574E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:08.704{A847701F-127F-63EE-0D00-00000000BB02}7843956C:\Windows\system32\svchost.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:08.111{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC05F57B4F21882F19C25473F53F31D,SHA256=7F363128A91E578578E09CFF5312C841AF03A60309F57DE07B39672FD4C69750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.497{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C74A583E96E788067B8017306F082EF,SHA256=3C46CD96B040D17E2C1EBCA67F15EB04C935AE108FBBC9DDAB5BF8888A087C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.451{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.445{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.444{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.437{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.430{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.413{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 354300x800000000000000089545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:06.224{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51669-false10.0.1.12-8000- 23542300x800000000000000089544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:09.190{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7579785C5AC381CF7F1A2446E9907154,SHA256=A9C32BCDE959E8D433AA00E618776932646A14AF95ABECE722752D5D6D58B4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.385{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.369{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.358{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.356{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.353{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.346{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.320{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.307{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.294{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.280{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.261{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.245{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.209{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.197{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.183{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.174{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.116{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:09.112{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000120567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:10.895{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:10.439{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7101450AF02E5B99A2D21C8FFDCB2D74,SHA256=A7A19CBE29914D7F6C8D9D542C78FBCE32A7659B1B18751E50E62772F2FD3165,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.689{A847701F-39F6-63EE-2705-00000000BB02}8961120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39F6-63EE-2705-00000000BB02}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-39F6-63EE-2705-00000000BB02}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.502{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39F6-63EE-2705-00000000BB02}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.503{A847701F-39F6-63EE-2705-00000000BB02}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:10.267{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5009027327AB215BD2082247EC466B,SHA256=DF1EFBD51B8D073CDC4250B03703400AE4FEFD7D2A838E414AECED7B4494A378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:10.026{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000089576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.976{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6C56046E8DE13E01B79086F44D419E21,SHA256=7188CB142D8AC9559D4A1860D634B8390244852362988E1260AE30A7866EDEE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.639{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D4401EDBF2D2A4EEB03ADD278BA5EF,SHA256=41BFC35B062244C31DF49A2F068F386C6203AA68118981DA37153563F38F9108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.639{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCE069E731A946C8DF1DCF53D9CEAD8A,SHA256=BB776FB624F76C83BC0CBF4A43EC7804C7FC2A653F627C5EBCFD7AFA035EFF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:11.496{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E89C2003D96752A3CE4F2169D11A5A,SHA256=F7345794A32D3EB18A59CB703576574100AF9AAD633A955CAE90BDF3D9565B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39F7-63EE-2805-00000000BB02}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-39F7-63EE-2805-00000000BB02}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.170{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39F7-63EE-2805-00000000BB02}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:11.171{A847701F-39F7-63EE-2805-00000000BB02}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:12.772{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3DBFEB6E7EABF0004CAC7CA1FC53A6,SHA256=E55257F0519AB181D4F212D54BF443BA03B96FE3E136AD25DE6C3F9163429539,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000120593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.789{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps12023-02-16 11:56:09.298 23542300x8000000000000000120592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.789{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps1MD5=E3847747D55B5F06A70F1C49B648691E,SHA256=7EE7840EE6473B6F0F2B59E95966FDDE8CCC973B79A56BB4E4645482245E3D5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.743{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.731{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.727{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.725{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.721{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.700{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.687{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.646{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.637{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.619{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.612{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.610{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.606{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.600{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.597{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.596{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.592{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000120574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.559{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E416E6EA28B6C2CDA02676635966F73,SHA256=172651248410FF355A245785BAF770A5C8E411CD62CCA3CE1D29DC08417C966E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:11.278{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000120572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:11.037{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000120571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.076{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.075{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000120569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:12.073{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000089592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.856{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67735ED76A082EFFD26DAFB0E2B8E01,SHA256=93094BDE3AE9B6D70B0EC4584A8D7750F54B6F5889D2BEDFF2C2DD89F9053448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:13.566{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE0B8AD1FC32F381F46F4BA652D5B64,SHA256=DFFEA277265BFA0BB2ECADF9CE1F19F456E76B86CE24459E7CBFD67B9F6C9DDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39F9-63EE-2905-00000000BB02}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-39F9-63EE-2905-00000000BB02}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.591{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39F9-63EE-2905-00000000BB02}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.592{A847701F-39F9-63EE-2905-00000000BB02}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:13.388{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DA8631D7A6F0F61ECA6817428A54359C,SHA256=7B0228A20CEA081506CF205711D868F11DDF353A43B13F1F7E589E513CDA015B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:13.191{3F28B219-14AE-63EE-D900-00000000BA02}50206084C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:13.191{3F28B219-14AE-63EE-D900-00000000BA02}50206084C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:13.191{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:13.175{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:13.175{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:13.175{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.962{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B1EAA6B88AA449D476AEB20F0681B4,SHA256=7F2FD00DE992792A778DFAA871F0D13C078E1CCED48271474FD5ED87F5C84EF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.891{A847701F-39FA-63EE-2A05-00000000BB02}2123668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:14.625{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018AB6B91EB75D39817E915CCEC48747,SHA256=22522A39E7B13ED0944B042E377136DF177F183873586DF639921AE68D54492F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39FA-63EE-2A05-00000000BB02}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-39FA-63EE-2A05-00000000BB02}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.672{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39FA-63EE-2A05-00000000BB02}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:14.673{A847701F-39FA-63EE-2A05-00000000BB02}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000089593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:12.177{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51670-false10.0.1.12-8000- 23542300x800000000000000089623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.932{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF2EA7B169068F4845FC02CA666FB5D,SHA256=BDC66ECADB0184567DBAA5BCD51AE98CC748EF5E1098980925A252B755B3DA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:15.706{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F16E2D868262E691D6C0E8BA6A6DF13,SHA256=3AF96F67B634ED859912C8516DAB8169961B12BE1E895048B7FBAA8E0921C02A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.592{A847701F-39FB-63EE-2B05-00000000BB02}32803112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39FB-63EE-2B05-00000000BB02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-39FB-63EE-2B05-00000000BB02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39FB-63EE-2B05-00000000BB02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:15.342{A847701F-39FB-63EE-2B05-00000000BB02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.986{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1BA3793C5B1C73F3C47C4A070EB6C1,SHA256=D11D389A2AAE0B80CA73FF732ECA8F8D702D5FDE688CDAF7C3D9093EBD7B924F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:16.990{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F1FEDCA46B533C9D41D4CD75B446825E,SHA256=33A55FFEFC2A0D8CEF7678C314D4F596C4BFD1ED7EB5135B0CA37D82CF94AE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:16.777{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB97A020321C666D5C780A92167E3335,SHA256=F91CFDDCAEACBD21A1E15296638CDC71B1F157488E5AB97B3BC78BB2C83012F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.256{A847701F-39FC-63EE-2C05-00000000BB02}35883052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.149{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FC-63EE-2C05-00000000BB02}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.149{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FC-63EE-2C05-00000000BB02}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.148{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FC-63EE-2C05-00000000BB02}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39FC-63EE-2C05-00000000BB02}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-39FC-63EE-2C05-00000000BB02}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.018{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39FC-63EE-2C05-00000000BB02}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:16.019{A847701F-39FC-63EE-2C05-00000000BB02}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:17.849{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155EBF38DDA350E000BA61AD1FB66978,SHA256=C13AF0B6A3B13D90624964D04D93564E70FF31930A5B5CFFC7B6F6CA88112866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:17.231{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ED3E3D8E1412EE2EEF3FF84C6A6A302,SHA256=39DA9F878B7D79BD6F69A775AC1DBF097D5BD8AFC5DF31FF407015412D8CB5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:17.219{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=48E296F27896A1AD816511A56A309793,SHA256=4F6D9DE7C9172BFA0428B86CE9EF7CDE0AB87CD1A93CAA042315D62EDD159AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.936{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81ED9C3185400AEECA0DEBCE830769F7,SHA256=F6C4635CC3C1B45EE9D96978132EB888600A67DAD109312A5D29114CDD3F0502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.865{3F28B219-14AE-63EE-D900-00000000BA02}50206084C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.865{3F28B219-14AE-63EE-D900-00000000BA02}50206084C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.865{3F28B219-14AE-63EE-D900-00000000BA02}50206084C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.856{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.856{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.856{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.856{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.810{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.811{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.066{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98284B62E465B8294772244DC2B359,SHA256=3A13F2E5F2869ECD5B99211A1FA2C52EE66347071CAC85883124A5FD906392F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:16.388{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:18.220{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-163MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:19.908{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C72CC189124E6C90D0BF411CF59A72F,SHA256=1A198F764AB7DDB8652817FE40C5556F469B4DB06DA40674FD6A5685874F07E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:19.226{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-164MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:19.155{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F759D8F9EB2C12DE2A4B859DE2985653,SHA256=32896413FDCF5A91CAE45E9D082D7BEA482F90E30A14A437C5D1C570162D0954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:19.104{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:19.104{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:19.103{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:19.103{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:19.103{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000089657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:19.103{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-39FE-63EE-2D05-00000000BB02}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 23542300x8000000000000000120627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.986{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCD61A38CEC15531505E0480C6148B7,SHA256=2B5139208E82E40643A19223C20C8DD752C297289E5522989E35640F70E5C03B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.711{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A00-63EE-A005-00000000BA02}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.711{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.711{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.711{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3A00-63EE-A005-00000000BA02}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.711{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.711{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.711{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A00-63EE-A005-00000000BA02}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:20.712{3F28B219-3A00-63EE-A005-00000000BA02}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000089694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.926{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.922{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.919{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.916{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.915{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.911{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.910{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.909{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.907{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.904{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.902{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.899{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.890{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.886{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.878{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.876{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.863{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.851{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.827{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.820{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.814{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.804{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.794{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.788{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.781{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.774{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.766{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.757{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 10341000x800000000000000089666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.755{A847701F-1281-63EE-1E00-00000000BB02}19762516C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480190) 354300x800000000000000089665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:18.179{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51671-false10.0.1.12-8000- 23542300x800000000000000089664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:20.156{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304700B160FA6569AB9A8C00F4FE7A29,SHA256=C6AE0FEDFD1C91E2056624F3E23B3B02B1C722332098264CA2214BB231AB1663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:21.283{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3359D5E6C3BE54EE6F07A4E1688449D0,SHA256=84547085FC07265DAB3F90EABD05661AC9FDAB2A9A4BF42EF472CB458C15BE8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.832{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A01-63EE-A205-00000000BA02}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.832{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.832{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.832{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.832{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.832{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A01-63EE-A205-00000000BA02}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.832{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A01-63EE-A205-00000000BA02}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.833{3F28B219-3A01-63EE-A205-00000000BA02}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.752{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D43B3A7DD32840FB88CF7FC72F300C6C,SHA256=361D67EF6DF921FA26163361B7DCE184C419F2B380ACCF7734EE4D5D311A84A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.330{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A01-63EE-A105-00000000BA02}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.330{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.330{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.330{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.330{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.330{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A01-63EE-A105-00000000BA02}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.330{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A01-63EE-A105-00000000BA02}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:21.332{3F28B219-3A01-63EE-A105-00000000BA02}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:22.326{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF2C52F72936B981D40BAAD567FCFBF9,SHA256=944AF5CE76A8A10BB904FCEA8337D7D3115601C1AC5E27E136D7A6FC01C11866,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.953{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A02-63EE-A305-00000000BA02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.953{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3A02-63EE-A305-00000000BA02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.953{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A02-63EE-A305-00000000BA02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.954{3F28B219-3A02-63EE-A305-00000000BA02}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.282{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2AD7B3D14D0622D69C7E262C28F77A21,SHA256=591D3E08DFD87B936316FC35FB10CC4F51552931AF7CD2901065EC1016605AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.074{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4090E37B80F47F12827FAF5F2491E61D,SHA256=91FF76A92813C3B919DF019C8940B868E97F38BDD92EC8EBD5A5C3CEB66D71E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.027{3F28B219-3A01-63EE-A205-00000000BA02}9564672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:23.415{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BDD2A18A21FD3E39DB61AF89FDEF92C,SHA256=58FABFBACAD1760BA5D948ED5FC56EC282CB686CC5F583D2D03537E51763859B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.937{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A03-63EE-A405-00000000BA02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.937{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.937{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3A03-63EE-A405-00000000BA02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.937{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A03-63EE-A405-00000000BA02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.938{3F28B219-3A03-63EE-A405-00000000BA02}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000120659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:22.321{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.663{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1EEF489ECD750122A85BC90965A40DC2,SHA256=E897CC3AAA44E668081CEE6DA1430D44F55E7148A42CCF754F7B74A7A69888D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.172{3F28B219-3A02-63EE-A305-00000000BA02}68081932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.062{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DA3A6F1ADF331FD160A692F3DF2681,SHA256=263C69EFB06D84996DCEBC6DA3B66FB6DDD44A2C8DAFCB0C45B8EF4699A5FD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:24.521{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74B51149B1D1529091C130F182032E9,SHA256=9C07D0FCD1350F9E76252400E1A5DB4200368A3C14DE488B94B28F3DAFCE710C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.901{3F28B219-3A04-63EE-A505-00000000BA02}40124852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.571{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64712-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000120678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:23.571{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64712-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000120677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.614{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A04-63EE-A505-00000000BA02}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.614{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.614{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.614{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.614{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.614{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A04-63EE-A505-00000000BA02}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.614{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A04-63EE-A505-00000000BA02}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.615{3F28B219-3A04-63EE-A505-00000000BA02}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.172{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CB021B74398F7E67FB1BF6B448298B,SHA256=192408F055670293189C10099EEB19D31602C2D4058AB9B55B9E9794EE0DDA8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:24.156{3F28B219-3A03-63EE-A405-00000000BA02}26406724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:25.599{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF5375917640D5086E047A1209E6B98,SHA256=2F96DD49450BB769653BBA2A146369059955A75959199E80F97DDC0ED1B26E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:25.244{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76833DB7F22360D52393BEF7E900CC91,SHA256=1430A75B0793260E6FF2434D69D6B8892BADAAC5A7F39FE2E0BA4C844EAC60E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:24.163{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51672-false10.0.1.12-8000- 23542300x800000000000000089700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:26.679{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD254B68FA4678A2D3D7DE86E956872E,SHA256=109A9750CD95FC52E4B52549518BFD7C9B6F2D6675C174B51B8ADF733951C9D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.524{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A06-63EE-A605-00000000BA02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.524{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.524{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.524{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.524{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.524{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3A06-63EE-A605-00000000BA02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.524{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A06-63EE-A605-00000000BA02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.525{3F28B219-3A06-63EE-A605-00000000BA02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:26.345{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B807BA10CD9A39236C17DC1D7B3C72,SHA256=C8EA268512F7EF1960408F354AC83E4AF4B462092DDC117CD5F03CBCD1967D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:27.751{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5FF0D55CA3FD6E7FEC57767C2004CD,SHA256=3A958FE0CE4FCBECFAFDC0F5C5D69ED8288281C75A6EDAC62E1E523DA9FEC2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:27.583{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=821181F26542892C61CC90EF2DE8DAC1,SHA256=DCE08486B96570864969ABC8B0E24BD4C32EA67727D62B58E51E834E1CFC31E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:27.417{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928BB2716879886AD7FC7B3250D51872,SHA256=79FBE650A170F0B65D864896672879ACE5D58B992BB809C95FE04EA7BBA75E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:28.837{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A68CDD3694CADB00EDBE48D409FED0B,SHA256=AFAC2892B4982FB05C08E0A8FC866CC92D6901A320336C3B7938548CB9A2630E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:28.493{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FD01D636566285A61C5A572E80F928,SHA256=99E514A256A5329ED15ED31B172B1F24CDF07B8AD19B7FFEB11C1BFE70FB562C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:29.922{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C69AA7B4D74D2994268B1484757EE5,SHA256=5EB3D5A915910C4F9E757EE5FBBAF0DD01B55DD0B923E9D603BEDD2AE4865CF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.975{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 354300x8000000000000000120720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:28.229{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.551{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.548{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.546{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.540{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.538{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13B451ED19B1B4DC83A6C42927B7748,SHA256=AB550699C812A106B18481D29BD7065B20FD1E7267EC5A654E88049396721E92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.531{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.519{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.517{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.502{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.494{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.487{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.485{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.481{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.471{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.450{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.439{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.425{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.412{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.396{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.372{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.328{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.315{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.297{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.275{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.130{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:29.125{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:30.568{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925630768ABE5A61F0B386AA6EE4A0BD,SHA256=40C5F8B9C2BA7746DFABF8430D15C7F979290F915EBDEC234516A35BE3BF5F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:31.651{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCA1D7A9441D1DC5210BF82A41617D4,SHA256=83F942CF38A46A8C6EEF756DE8BD512D99969CF8A9131EF43053843E19DCC6E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:31.003{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC153BDA5A4F6449ECA8C974A821862,SHA256=A97DA851FEBD41362065F149257DE7C1FCA9F9BEC3F264080FB49C94949A0E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.706{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE51C027E770EFD7D85E6CDFFCCDFD27,SHA256=782AD938ADE46A922D707967D75CB6FADF3997A5B8F29229193BF2BB411C3E2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.699{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.681{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.679{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.677{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.671{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 354300x800000000000000089707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:29.314{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51673-false10.0.1.12-8000- 23542300x800000000000000089706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:32.064{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA82792AA4082DBFA068AB7A45B117A5,SHA256=A4D4908B7E112B072801DD23A321E81F2567E93CA6B2D0BA9BB30C5A1B6CC5EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.645{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.628{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.576{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.574{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.574{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.574{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.564{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.554{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.547{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.537{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.535{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.530{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.526{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.524{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.521{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.519{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.016{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.014{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:32.013{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:33.795{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8000B9A3A641A779482AFE80EE2A5CC4,SHA256=9CC3236664C377A122C973AFCD2FF8935D3611A5004CCADC4A5441135F870E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:33.127{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE84DDB85F355B59A3F5B444F7939E87,SHA256=9AFB29F54D9BDAF66ED2006EB84938AFC63872BEC37982354500CB875A0865DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:34.868{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0505568B900EB26B4F79E6EC6F558C4B,SHA256=A72B691DF1850292F45E01F4C7EC1391821CC4A6BD8FD291AF2EA4BF2BE7C22B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:33.365{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000089709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:34.192{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E757B8721E16AE175C9221E489FCDD64,SHA256=3045F4AB77AF6837B008F076DF69E829763ED3B9E99369F60A503D16D10036AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:35.941{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AA6490F90C67C36290358594914595,SHA256=E7378DC522725779CAB20B28702D97ED4B86BD3026F7EF50BF56AC6192C401CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:35.270{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1411E45BE538D93E4B0695656A67E27E,SHA256=55EE3A86E18C3D05B1A3F241DF6D2902CEAE41B8827EF49C768BDF0D26D992C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:36.333{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0400225F721DB1A32CC906051787A4FD,SHA256=B0F9315F0A9AE78524BEADEACBF4DCD1CEF74E1B5D0834E76996526C4E517514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:37.416{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F331E1E069546F4BC1BD1A87DF523111,SHA256=9BD0752A53ABFFCB40B883B689D8F3F1369D947090B2F6B0BB0569A01B37790B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000120755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:37.749{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps12023-02-16 11:56:09.298 23542300x8000000000000000120754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:37.749{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps1MD5=120F399938DEAAE2C9F57C6696C19F45,SHA256=C94CA36910980F786B06349A8482F89327B890AA22B74AD239F76AAD4839A454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:37.016{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1535AB3DE42811D4CEAAFFDA837518,SHA256=968DF054E7E1DC6579FC615AD1997676B8A4C8A7628FD4D72353BC389F21AC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:38.487{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87AF494284DF5B5A021A05CDDE736F7,SHA256=2BEBDF4FB927D2D5FCEE78C09991F970922A2D295446C6D3D2BA2912F8DD23FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:38.195{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:38.195{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:38.195{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:38.195{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:38.195{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:38.195{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:38.086{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E04E51E69B447B2589A3919FA07C497,SHA256=07B6EDFCD42E2FD743949A7B3D6978F0985F5EA4B2D1406D09537B37B4E0528E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:35.317{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51674-false10.0.1.12-8000- 23542300x800000000000000089715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:39.570{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C757C6A5F4D92DB67FA4FB2926553F9,SHA256=F100DC91262958D34E04B76F5AE9109EA9C7E7B904071D2F0EA8E492CA52FFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:39.163{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD8762CAE6428C9D9A925031B335F6C,SHA256=A8E7D7A69F2964E1BD39635018001318561ADC15972A915CD7799419E3C1459E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.995{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.992{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.988{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.986{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.979{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.977{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.974{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.970{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.966{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.956{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.952{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.941{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.938{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.924{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.912{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.870{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.850{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.842{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.830{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.823{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.814{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.799{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.788{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.779{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.767{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.760{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000089716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:40.652{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2FC4D3D4BE4741CACC27705A58B02E,SHA256=3B4AB7207A04EA9AB72B1EDF11B283F77F1BC365BA10147E2951169B1195C127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:40.246{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B035EAA8C05C457B9317FF527A28E84D,SHA256=7347D2DDC05368A739E4917916371CE3C46CA2A4D8EAB6170A3E7FA2D38F63F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:41.975{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C29BADB91462DA3754FCA9B9CD6626,SHA256=C0EA1386F72A1163F3B2B0905BEDDFBF549C3FDA22EFDA237B835AD38EDB013F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:41.324{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3280ABD514E268707C0FAF98A3027E13,SHA256=C180550401B11709A707EFE9751527A0C318D409F0FAF060DC944102A7D1EC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:41.324{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DF8128461692D0C72EDC04EF342F0A,SHA256=DF6E7F932E92E6619AB7B34FB3F5AD7D3968AFD9E68F40D5584A07C7D71C787F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:41.024{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:41.014{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:41.003{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 354300x8000000000000000120765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:39.274{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000120775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.442{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.442{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.442{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.427{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.427{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.427{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.427{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:42.411{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D47E305A5E0776C71268E2EDD49EA2,SHA256=D07331DF6C9DF80F9B82497F707AEB8629C403C9B513418B7EAFA493C1D2F6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:42.600{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B1D2D475827D79FF9BD46FF8EF034AE6,SHA256=FC157882D7800952B7DF2ED572C3315977F1D7A1967FCF083F1D06927823A7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:43.480{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C5605373D57757BCEC1984527586C4,SHA256=4133A90E2A7D84A6246C1A7C60767289B49116FA6CFBEB899AB54A49EA733E04,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:41.233{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51675-false10.0.1.12-8000- 23542300x800000000000000089748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:43.011{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90C1ABAD6673D394AC5E86DD10A3C7B,SHA256=EB1518EE221E53F4D85B35EE88A0E9C5F0312EBD5EB926B8C94006C79C0FFFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:44.557{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E706CC6313A1025EF44BE29A6C79E3F,SHA256=9045A4BB78C9D87348ABAA81F914C2F28ED4627AB24C60E45B5C9327BC725E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:44.095{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBED6E1BBCB17C57A111356D2CD41D1A,SHA256=863F6B1035FC01184C8F006467CE6FF5471142C7F3AF29C234EB386A222F0702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:45.639{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA4029F25A504F8E4F9BB527EB2442D,SHA256=070804F47C075C2536A92B14DA94B13A8D7F221FC5CD00048E163A1FDCFE55D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:45.177{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC4341EFE1E1ED1B118D6D5B58496EE,SHA256=EFDCE9F4F68AA9EED85DEBDD94150D8F0582056B3CBB29D5C467836AF7D07A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:46.735{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32640F7CA1B25EE36D11A8D59A3A23A2,SHA256=22F9EE8AE78E59C5EB705BB1A9482A5C2D841723D3693B8A088B0DCE34701330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:46.253{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315AC533128FFDA24EF1F8E634E9A072,SHA256=D0EFBBC465669A9D97F5BAEAB9203DAC3BD2F56EF2D27475332A7BE23820C970,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:44.277{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:47.820{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AE2700237B5B4FAF733DF084FEFD5F,SHA256=00636744961863193C0FAA36DF4AB7BA13F9FB96853E28C92A07464CBE1C884B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:47.330{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F042016EB57EDF6B4C78ADD58A43C2,SHA256=A399E00FFDFBEE33A31CF0F5A100D9A43AD07E9ACA48A757476CF08A708F623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:48.916{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A2B49F580A89A622D74243BD87AF95,SHA256=6C1F39034C850A2ECB8E73DEFE7B59766F207F59238E35719C849A078249E265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:48.423{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338B488ED36DFA17EFBFAA404D806F49,SHA256=0900CA9F2134727C865D324D358D3B39714D451570710DAAE3A9530DF5648D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:49.503{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26911F7D7AA8615FD6DC5640B6060C1,SHA256=FD5EE2932B68375251747E28A8C7D186CECCAFFB25AB2FA099F4C700E04A71F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.600{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.595{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.593{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.588{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.582{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.574{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.571{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.552{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.539{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.532{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.528{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.524{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.515{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.493{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.485{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.472{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.460{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.437{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.409{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.321{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.295{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.236{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.132{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:49.125{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000089757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:50.585{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314647836B58A37B7FAA21874470AAED,SHA256=00044EE0756B61516C9845B0A68E94E0FF71A1B9EB732E6E2082DC60C90DAF7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:50.244{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:50.053{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388C7142D9828DC28226CD9857974BD6,SHA256=46A5273602E181E1F413415DE8AE75D501C764E4A7958C569E3BDAE1FEEBAA32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:47.197{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51676-false10.0.1.12-8000- 23542300x800000000000000089759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:51.674{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769EC581C9A9C5B92C066F3FFEF8E4D0,SHA256=A01142E22ADF005B410524B2EFC0715556ECA02370A01DAC91CF1B99F1BE55B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:50.218{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:51.113{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252A4453CFCE40650D2D78E36D4BD881,SHA256=377B9649108F0A9635A05583CDAB2FE2349EDE4A230231EC43E2F7B1AEA5F392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:51.033{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B3B42A6151A4B8913E9C853D27259DE9,SHA256=F84AF904638BEBB49270AEFF030E6E7901BCD5C39D1A05F85248769CE8014586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:52.759{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97CB9BE0A27EDDD3CE1CCCEBBA3112E,SHA256=B1495CE826417AAEA2D923165EF878C30C990EE808D36A37C0476365FF5C4363,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.947{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.925{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.924{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.922{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.918{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.896{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.885{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.835{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.821{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.810{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.805{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.803{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.798{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.796{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.793{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.791{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.790{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8176C5EFBD2E46F40F8413677BA55C40,SHA256=26CCEFF347F38A6708A30D25A7CEE6AFCAAEFD5B258127CBB24B31AF8F26B491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.789{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.270{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.269{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:52.191{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD4759F40860D3769314983A95B71F9,SHA256=03EEADE9583A298A0393481ED2E663A2FCBCADC3BCF356859967D3638F66B09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:53.844{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BABF0950DC6523952EA33BCBCF99963,SHA256=7330F1BE1A395DA80B19518C58386D2FE5BF654DE50724BC44063B30312EC500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:53.249{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A2FBE824D1B61FEA8703AA5F1B0EB,SHA256=FF410F006B098E4EA366D4D80437BF1074DF6AFA7E6AC41735C9D77F41BD9743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:54.931{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8C67BC1CE8D827CA45137AB5CD56CE,SHA256=F2DAB324FD21F975B6CB88E7F102CEF4A5CBED79F08789FDE081CA0CAC875F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.865{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DAF2E79D66F54D249B6555836F90D2EA,SHA256=CD91040818253379D637FA69D1388E9FFA5675A3637BB2DC2DC6708885BB6E83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.340{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.340{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.340{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.340{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.340{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.340{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:54.340{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E19C2903EB12B6A0E05C0972A0F71C8,SHA256=DABA2F02906C674A9E6BA35646FDCCDD08114077CB120726C2A14CB6EEF40F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:55.433{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF42CAAEB8041AD64E42C297322EBA5A,SHA256=E9950546BABBB82CE5415B96BD924A122113BF9251E41B2EB1A4F513FF993AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:56.523{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D132BAD6A81E911196BA2A1112E3DA,SHA256=491A408E7570741BB1EA9A378BDC1C9F1907FD04E9C0C0ECD554FE94E4101307,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:53.190{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51677-false10.0.1.12-8000- 23542300x800000000000000089763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:56.003{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80CFF7D4D4C03C3635329AFA6A04B41,SHA256=185198A19CD7602E19AECFABE8EE596A94D74DD996CD975F4C2AA3D17FE6E3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:57.604{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FBB39014D416AACA40BDF45BEA334C,SHA256=130202CAE6E8EBC65D291CAE73BA1E38B280854801C28CB2C6FB4DB4E8F7BB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:57.088{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6CD0BC76D645537B8E2092A96F42FB,SHA256=D3E1F5A1FD3F67948607454A9CA46CFF9A55D874A90181ED431E475CE1278670,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:55.419{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:58.682{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784731D486AD7E8A80BD7BE7B55691B9,SHA256=EF92CB5B14B989471E6CA884208ABCF5874E45ED3AC735B2D0434FE878791270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:58.163{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9595F6F7C9E451FDAD618FD8E122002,SHA256=BDAE2BDFD0F54CC54F69094A27BA248618973160AE30A74714B81D641F371D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:13:59.741{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D19714149A49283D95DA16B4E08651,SHA256=4043E9FF5DA159B1BA3DE22FCC50E657C4D8AC5253C0991DA314F523ED23F36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:59.241{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A268DB90D1E94738C0E235850FBB11E2,SHA256=9725BC539DF94A0AC047B13B2A5FAB0BE9E6328D2115DBA3782F8DB69284A2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:00.822{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEE8339DAE55FE52B3B5DCB418C6A90,SHA256=44890103C121C5FA4F592CF4FBCA23F6A7115964F7C34BFC5A88DFF49635D667,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.982{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.979{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.977{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.971{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.971{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.966{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.964{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.962{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.959{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 23542300x800000000000000089789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.956{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.952{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.951{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.946{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.936{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.932{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.924{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.919{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.903{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.892{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.859{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.849{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.828{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.803{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.791{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.783{A847701F-1281-63EE-1E00-00000000BB02}19763288C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000014356190) 10341000x800000000000000089773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.773{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.767{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.760{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.757{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000089769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.751{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000089768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.323{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED46412361D1F351A22C312742AA0278,SHA256=76768922EF5BA433AB0F49FDE257B2AB18B62C3905B4B303CF9637473016906B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:01.897{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C423949CBF557A1AC497B32160FACAA4,SHA256=547E779BA85208BE12F4EC42BA445D98D65989A5CB21C98DA2BD295AF5AF3277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:01.643{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78E94825ECE805C1F39EDBD3D769DE8,SHA256=77EED338373EA713AE080E83010AF935F4D39E3D5D7529B45A02DE76FDE82A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:02.954{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5B46674BF8518D8F84642AE8929517,SHA256=95D1E938F1118B185F7EF5997C378F8AEB486FB5FFEF39BDDAA5A4710BBBDED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:02.677{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E23E6276F2FCC6B01522363822420A0D,SHA256=A21F4F8D3A1F66FA7FEEEC4829915570EBF3F0E9BC0C23BDBC20F58C7D0C524C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:00.042{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51679-false10.0.1.12-8089- 354300x800000000000000089800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:13:59.163{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51678-false10.0.1.12-8000- 23542300x800000000000000089803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:03.750{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5E87D1F97A7FA2F9F74183E4E21D5E,SHA256=06C0A1FFCA4762E79C4941F996950D94E9D07D7CF85260936BDFA0945D7B7E87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:01.265{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000089805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:04.845{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9549DEE772548F41086AB8434160CCB,SHA256=DCB187DA62EF87ED70C248837FE9701B7224B9AF58DE49501D36E7F079736B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:04.044{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D0602C259379692E652C89C8E6D372,SHA256=FC0E6B79A70E7B741FBB9D61476A8E56BA089FB81A4CFF678B62A9FD24215365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:04.321{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-164MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:05.918{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4780BB3334BE5C0E5DB0434E7E5613D2,SHA256=19E13672EC66A6E65CD64B4E913C945D04E1FE6CD83F69EC7237C51E1097AF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:05.139{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD3C92EC278B0A359849693C9E8AA95,SHA256=BB1AF43CCE911C9FD4DE056DB4BBC73DF238DF75321BFC88AA725CCDE527806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:05.324{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:06.970{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90175F25B012F5A5FF445BB1DB39992E,SHA256=5E4E4F35C78888223A8991868E4D50634BC1188FBB29FE5D0A755931FB7F18FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:06.231{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C3F84E40DF603510C623F5D5CCA610,SHA256=4A39F1DC308EE504710222A283990396C064C5E1B4DF40F2B495C542F0D15202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:07.315{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451198C6B21915B463E98DA99D465A5A,SHA256=D793B8091E45BE76F95C5754508AD225384D149FDA0F77E0CA424BAFFB22990C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:07.268{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:07.268{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:07.268{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000089813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:04.315{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51680-false10.0.1.12-8000- 10341000x800000000000000089812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:07.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:07.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:07.704{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:07.691{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000120861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:07.242{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:08.380{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135A9E4E816EDA9FF0DD901B84C2C942,SHA256=72DB2B40256C7FD9C73B8D9B2C301D988FBA35F1E76427D17F332D16B1246804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:08.155{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2E8621F10E2C503FB480103F6D8E65,SHA256=C6644DB367705E04D65B9F637B8D8511B33830802B3845A352629CA6632C8901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.623{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.620{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.616{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.609{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.602{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.596{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.570{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.552{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.547{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.545{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.542{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.533{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.512{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.500{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.492{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.480{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.470{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.455{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.439{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89360084BE9D059850AC2B5CDD76421D,SHA256=6598441B7D2D4DDB86F34E425D64C34C87373166F1EC9A757B2A3B65C4CA33D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.418{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.409{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.390{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000089815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:09.257{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646A97ABEA06C5F5BD975AC5E6FA2BA5,SHA256=FA54E75DA21C9B0A2300221FD4D610F2AF3C99A0BF6A552BD1038D34059FB11C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.304{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.130{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:09.126{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.921{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.551{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-1280-63EE-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000120892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.551{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000120891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.457{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1938E16FEFBBBE4B84DD293CD012BC4B,SHA256=7D23953F12C022E6C81DCF8B91BA03D239EB46D5CEB07D2D4988E008CC989598,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.442{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.442{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.718{A847701F-3A32-63EE-2E05-00000000BB02}1956524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A32-63EE-2E05-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3A32-63EE-2E05-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.482{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A32-63EE-2E05-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.483{A847701F-3A32-63EE-2E05-00000000BB02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.339{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452297400E7B6CBA81EDB476E1EB02ED,SHA256=F5F8FC7987C2F9AFDE0A58EA4CF08A9CE3118C69A0E1182729CF512912325965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.249{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 354300x8000000000000000120906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.718{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64725-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000120905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.718{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64725-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000120904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.714{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64724-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local49666- 354300x8000000000000000120903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.714{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64724-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local49666- 354300x8000000000000000120902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.713{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64723-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 354300x8000000000000000120901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.713{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64723-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 354300x8000000000000000120900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.611{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64722-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000120899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.611{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64722-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000120898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.604{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64721-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000120897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:10.603{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64721-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x8000000000000000120896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:11.541{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8FBB30095E79A429D38302054F5815,SHA256=9D73FDC75E23D8FC75D2D3309774CFFF03F5B173CDC8C8869BF33848BAD1C13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:11.541{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA647D9507B516FC8A33930477CBF4E,SHA256=24A8020DE5C074D473A038C571160B01432FFE36BE190D8E1B2417E71C64FA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.625{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3EFBF3C9FBF088526DC190AB5569A0D6,SHA256=CEB5176B405DEC84E8E4B450DB55A1A0E629D897ACAABAF2F79F0DC00C0422DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.625{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20227B3D40316F8D10C567A69CAB4333,SHA256=4F66AAA6787ADD9AB081E714D3E020B7F1E5531D5BD295F025A795437E41DD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.588{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D15A01A7D1BB96155924F26BCC906F0F,SHA256=B832E696445728420BE413C054FF9737C42EFDA0548E58994290E0CCF824CEC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A33-63EE-2F05-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3A33-63EE-2F05-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A33-63EE-2F05-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:11.149{A847701F-3A33-63EE-2F05-00000000BB02}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.988{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.952{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.950{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.948{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.933{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.903{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.891{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 354300x8000000000000000120922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:11.064{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000120921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.845{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.835{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.822{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.816{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.814{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.810{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.805{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.803{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.803{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.800{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.612{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB520B91CF510BBD36728394848AF1B,SHA256=9C46FE2150DE6F52736FE9848BFB47387D83915D521C151CC1C4A6403289249B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:12.740{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4E327EC9F5448E5B8A03F5ED29BE60AB,SHA256=ADAFC5A30A26252F79D2BCA2BFA4063240BDCDF4BB930D7E65316DA616390F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:12.708{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B2D43FCE89BF3D6DE11720CBF6AA7B,SHA256=C87FED07A3EA61997124B4EFFCDD9A24D5FB40B48D08BEBF8328390DF11F3B3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:10.329{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51681-false10.0.1.12-8000- 10341000x8000000000000000120910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.281{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.280{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000120908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.279{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000120907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.240{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A37E41878985D0AA43C475E18897F61A,SHA256=7700858155DA832E57A750417BC358630DCEC73E72AE78ABE5C6799B497A25AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:12.332{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000120930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:13.683{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267FD67E603693A98BFAC7E14B61ECEC,SHA256=594A7DCCAC8F6C05146BFB3269B8B2E25B74E8DB43FD6A1804170502B0CE4B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.788{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1C6EDE8D0E721D30E0AE37548600A4,SHA256=F1FABAE38DBF28162441BEEAAE47AF383CD8C67F7805F4C8E6E8998E02549773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A35-63EE-3005-00000000BB02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.587{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.586{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.586{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3A35-63EE-3005-00000000BB02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.586{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A35-63EE-3005-00000000BB02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:13.585{A847701F-3A35-63EE-3005-00000000BB02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:14.778{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8183FED004B0EC728DA7EAFD8F4223,SHA256=24A689B02FACC96C58C5ADCFB8B450196F78DE69F3E7C391D8DA422E930E14EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.928{A847701F-3A36-63EE-3105-00000000BB02}322936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.881{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BB9A080EFD23B62A9D5E2DE46380BF,SHA256=CFFB145F6846300F8336B138E2840DC57AE217F9E9D84E8FAC1EB3BE848E6D69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A36-63EE-3105-00000000BB02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3A36-63EE-3105-00000000BB02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A36-63EE-3105-00000000BB02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:14.687{A847701F-3A36-63EE-3105-00000000BB02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:15.855{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF961581079CC047D451BB6A62BE358E,SHA256=9B90E2B4D7EAC53B6E9AEEE27F0F8DCB12C74DD88BB01821DBB77BBDEC84CB64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A37-63EE-3305-00000000BB02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3A37-63EE-3305-00000000BB02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.855{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A37-63EE-3305-00000000BB02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.856{A847701F-3A37-63EE-3305-00000000BB02}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000089892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.374{A847701F-3A37-63EE-3205-00000000BB02}18123648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A37-63EE-3205-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3A37-63EE-3205-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.187{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A37-63EE-3205-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:15.188{A847701F-3A37-63EE-3205-00000000BB02}1812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:16.932{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD63763B577340D7E748E6104D49C4DE,SHA256=C316B3D07E50D28235F58726C3C55173B46674DB2D0BD99237DF42DA94D2CC1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:16.954{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F694A5878DBAF79E7148054AA38D95CB,SHA256=FB1B413FDDB6F2AFBCC49AADA092E06C39263FF0580992E7D2ED3445FE1D301B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:16.121{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43562CECDEE2BA0385C57D0DA00AB52F,SHA256=F5D5EBC3AE605C7C8F36A50813F4B68FDCA988787AB859E99AE7671B22A9E053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:16.070{A847701F-3A37-63EE-3305-00000000BB02}22562548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:17.164{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3757582E5BAC713C680275E3564F10E0,SHA256=FD6D5BC03BD7EE9651B5FEB99027D60D8F7D139A54C3672F106A9249253F6C55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:16.203{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51682-false10.0.1.12-8000- 10341000x800000000000000089923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A3A-63EE-3405-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3A3A-63EE-3405-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000089913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000089912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.817{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A3A-63EE-3405-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000089911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.818{A847701F-3A3A-63EE-3405-00000000BB02}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:18.233{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27449E26B551B3DAD59DCCFF36E0240,SHA256=F03C71E7A4ABE9A95B1AE560905509C223977C9D584A2386513B83131F1AAE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:17.999{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6DBCDE04B6EC6D9C3A82702B44B316,SHA256=7165C56DB68D23187E7D21EAC17565EB8ED83F1E160296A6C11F2A03C83B998F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:19.750{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-164MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:19.076{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12E19CA4CB091133344AB3E2EAD3AD2,SHA256=1F867DEB37ABBB1D06753D8668D0E3D33D740E2096DF82D578AD3F2F05919C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:19.325{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A107649D555E0401D0FE6F8854D38B2,SHA256=839AE259E571FB7BC5CB2517B1643A6CDF683D3CBBDD079CF99C6354B2AC4483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.760{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-165MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.725{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A3C-63EE-A705-00000000BA02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.725{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.725{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.725{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.725{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.725{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A3C-63EE-A705-00000000BA02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.725{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A3C-63EE-A705-00000000BA02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.726{3F28B219-3A3C-63EE-A705-00000000BA02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:20.152{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358A2CB0FE57D35275B18455FBE42B63,SHA256=73E1CD1A59CF9E432D39B840C97FF08F0835596FBBD9042A89CBA2D87472B291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.967{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.960{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.957{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.955{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.953{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.950{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.949{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.947{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.944{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.941{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.938{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.934{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.924{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.920{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.905{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.902{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.888{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.878{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.851{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.841{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.831{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.819{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.810{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.797{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.784{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.774{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.764{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.753{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000089927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.751{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000089926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:20.412{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DC8289DC5FDBB6CE6F2580CBA043B8,SHA256=3A43179D42EAAEEDAC8B0365B4B26D2D0858C0379C1282D746BBBA99491C831C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:18.219{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000089956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:21.602{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A575E2328B13406CBDB891295230B2E,SHA256=18C4B25230FF75B85F4B6DED4AAABED647065FBC9D3A3FFA7B1CA5C89520FAC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.792{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1D975435C03BFAAA7C8B4708293DCC7,SHA256=21822AADDC0DEBD8C5A01EB4E98B11DB4260062C97A10FE4DB090C10FD5D060E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.636{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F72FC90E3B2CF620E7A13AA8DEB94594,SHA256=B33325C2C7C7E36E159C8542C66BA3A61DDBB3D386E0763FC18E240B03B686B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.570{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.569{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.569{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.568{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.566{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.566{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000120958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.398{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.398{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.398{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.398{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.398{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.398{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.398{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.399{3F28B219-3A3D-63EE-A805-00000000BA02}6896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.232{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8BA3F9F7068223128439FE640401D08,SHA256=C41EA3A6E4E1330BC3FD330CDAB3076A5AE18211A993AE8B817F42F967A65A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:21.013{3F28B219-3A3C-63EE-A705-00000000BA02}64646276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:22.688{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD66FD336C60ACEFEFB04AEF6F6FF9A7,SHA256=750326B9DE1794A6AE432D8009867CE856CE9B9C1D3135BDFF0CC888DD7F3837,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.975{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A3E-63EE-AA05-00000000BA02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.975{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.975{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.975{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.975{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.975{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3A3E-63EE-AA05-00000000BA02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.975{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A3E-63EE-AA05-00000000BA02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.976{3F28B219-3A3E-63EE-AA05-00000000BA02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.960{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=67F56D26F1CF3DEA1516CD0DDDBA8C96,SHA256=9FD56AA59DE1AF47FAC0D768B172EEF810D11CA8EF69419915EFEC21342CF59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000120975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.444{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F2D10E05D3A4C5FEFA75CCAFAC246B,SHA256=311A2209BEB4E6B3CB3CA8E13608BFF38ECD3755C99A07152BC7E051E7012CC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.066{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A3E-63EE-A905-00000000BA02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.066{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.066{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.066{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.066{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.066{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3A3E-63EE-A905-00000000BA02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.066{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A3E-63EE-A905-00000000BA02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:22.067{3F28B219-3A3E-63EE-A905-00000000BA02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:23.762{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B15B0630376866772EC19284B96052,SHA256=3465794D687899435BBBFAE37BCE06231AD6CD8C57D1D6BC80F7E9BC86D78CC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.951{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A3F-63EE-AB05-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.951{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.951{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.951{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.951{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.951{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A3F-63EE-AB05-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.951{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A3F-63EE-AB05-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.952{3F28B219-3A3F-63EE-AB05-00000000BA02}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000120986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.532{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8300669787D89C8F0FEB8B52DFD2C01D,SHA256=26F9756C708E849867A964A132D900D418F5408AB6E9C6C178E98777691D2928,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000120985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.178{3F28B219-3A3E-63EE-AA05-00000000BA02}64206172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:24.852{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FCA1B69A3FA7CB815BEEC0CB5A6C66,SHA256=753C451CB9E8B97F35A951CEA5C5631617D6B7F3C3650D17051B6D0F77309510,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.587{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64729-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000121012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:23.587{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64729-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000121011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.713{3F28B219-3A40-63EE-AC05-00000000BA02}39405832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.633{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C32B398F067866A541E978802E0461,SHA256=48F98E32F2384ADE1CF3EBF00C559EDAE55324BA2359BEB2B4AB8B5E2A387AC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.630{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.626{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 354300x800000000000000089959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:21.234{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51683-false10.0.1.12-8000- 10341000x8000000000000000121003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.458{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.458{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.458{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.458{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.458{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000120998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.458{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000120997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.458{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000120996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.459{3F28B219-3A40-63EE-AC05-00000000BA02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000120995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.192{3F28B219-3A3F-63EE-AB05-00000000BA02}49246336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000089961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:25.959{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E6DD914D1690449E6993C3290E9CC,SHA256=3F9CDDE683A680EEEE18F776C98DE0E746FC059372AEEB10975F3E2B5A9CB4EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:24.179{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64730-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000121031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.914{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.914{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.914{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.899{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.899{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.899{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.899{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000121024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000121023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009b5060) 13241300x8000000000000000121022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d94208-0x976ebad3) 13241300x8000000000000000121021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d94210-0xf93322d3) 13241300x8000000000000000121020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d94219-0x5af78ad3) 13241300x8000000000000000121019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000121018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x009b5060) 13241300x8000000000000000121017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d94208-0x976ebad3) 13241300x8000000000000000121016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d94210-0xf93322d3) 13241300x8000000000000000121015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:14:25.781{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d94219-0x5af78ad3) 23542300x8000000000000000121014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:25.703{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A172E131D9ACBF4B2782A56F632E6BA,SHA256=7122C54AE8A61BCB1E87F75CA9D462E4EFEA20CDCB300856F4E19A564C7BA920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.997{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FF3825EA4E7DA09A5FC07EF0CD682B,SHA256=128C59A04C2048005FF6C6BBDD38E647A8D248160B9ECDFC34D57A132CDD386B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.566{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:26.530{3F28B219-3A42-63EE-AD05-00000000BA02}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000089962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:27.048{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8A52C0CD86DAC336CD21DE8F22C704,SHA256=390913BD6777AF7A5E5B739788EF0398D2DEBC689D387C45432B5EC6FF0EB0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:27.628{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C052FB3079F58BC100CEFC53E651B917,SHA256=90CB456A0C6B7DE3CC781A67D86CDF23A5DA95991AD7D99FCABDE1A39851BF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:28.126{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77D604FC9333DDB335B36B31A4CA92B,SHA256=8114CC80EE7ABFA5F65E51C256C4392C0BC7919ACE335D72F0E79EBD7886BBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:28.090{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139D8FA5CC28FB4C8509635929C886D3,SHA256=A7FED86388D47187B0B9F5AEAF0F650AA7823A70E33AE1745627447D7287AE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:26.259{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51684-false10.0.1.12-8000- 23542300x800000000000000089964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:29.218{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F220FE9FCD840F33607ACB79D53ACE52,SHA256=9887AA7B8EED7D2790BA06B5F33ED6F5E35BFB048A6344A0C3E4C4519A0ACAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.937{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.443{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.438{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.436{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.433{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.428{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.421{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.419{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.398{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.395{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.393{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.391{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.385{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.361{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.348{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.341{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.329{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.321{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.308{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.280{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.261{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.251{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000121052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.173{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28356791B7213DCB0955974CEBC855D1,SHA256=1F038F125F37FC622A5F7F02DB8AB42E1AA9FB1D3ACE67A719298112A0BAA3AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.144{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:29.141{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000089966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:30.308{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCC7FE1DE7C19A87C344487BCB7EE6A,SHA256=EEC2F3FDCDC498B1EA7BE819EA6FFC2C0C77367C2780FFE23FC5DC95D9D048AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:30.198{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DECABBE5A50EE82C9D9AC3E623CFD59,SHA256=3760E14874A0519783355DB1E593496C7318DFF6171AAB46D4976C32E640357F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:31.392{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9C78A3F98978C5540A5B2D7FE47187,SHA256=3464259C0D9D9F42DE35D075F228B5786922A919502DFC5359A315B795DCE1B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:31.979{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:31.977{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:31.975{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000121078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:31.265{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E337FBE2514CDE2141BA571F74C271D,SHA256=F55711F5652D6EFBED9C082B41545560CA100AF41E240992DE7A70BD5A2D5379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:32.470{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446E9665BF46857D9D470746F599982C,SHA256=D6C05D2D7BA12C3320C7D6EB5AFF8F064F7A5AF4B2708CAA59B4172F29DDBEFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.716{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.648{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.642{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.639{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.623{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.591{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.575{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.575{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.574{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.570{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.553{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.526{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.518{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.506{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.500{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.498{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.495{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.492{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.490{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.489{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.486{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000121083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:32.336{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D5F690BAB996EAF7EA03EACA00A5F0,SHA256=0032C72BC03C8C0CC2BD0AF47EE55834510D160C63496A02ACBDE554114816BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:30.183{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000089969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:33.525{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4FD6D12B8885AC6B4A99BFFB9BC7A8,SHA256=3401C766E25282FC1043DA1762463036E44D0F1C9014628BEBEFBBE95EA7E585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:33.570{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:33.414{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B9A55A7104A5D2C75DBBAE571042A3,SHA256=26526D3C0BE379B2C224DE5FEECF2C1A1AE6AD03F7975719EEC28167630FAE72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:34.592{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A5E9C657763A9698ECB3136DB03E3B,SHA256=30745AF012BA522FB53511705ACF64CEC0D21EBF4DBCC339BB2829CA84E35FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:34.518{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4A8E97808D37417A4A7C49A84B18CB,SHA256=F5F973E77CAA8F548EED17BAD5172F9AA8D01F51D348EF2D048606010F96BE19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000089972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:32.198{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51685-false10.0.1.12-8000- 23542300x800000000000000089971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:35.665{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FC42D1419C50B977A2CED7819AA4EE,SHA256=49B2896FDE66B179FF033BC4215C15DEE30BC80D9323B49988591EBBB190605E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:35.617{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DCD7E87B1A07472F6D10F65CD3B591,SHA256=0BF49B8924346B186FC8AA5C1E05F3AA09BA5A917E515EB9DD7845E7C6035217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:36.731{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011CB752C5EF2A56A2921CFCAAB5ED16,SHA256=3D73B51C6997A30CC04F8012CD497A9BCE35A7B18D18DF44EDB500E9186061D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:36.697{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF63422933EF3377EAF11DBC8ABD8B4F,SHA256=62669FD9B5BBEEF76E0179C0BA49A90EF742123C4EE7AA9ABDC9CAA3C22DD72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:37.809{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B173B69546E7FE114783169A10DD85,SHA256=A86D61663F7D1848753B1E794BE38D7E98CBC7AA9A171E39484D9FB3A17D0E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:37.758{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791EE2AB7E33725CB649644F6D070A2D,SHA256=916EA50B0AABDACD1C1684E4C3D6377B492FE5749CA1ADDDF628A9BF44076633,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:35.354{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64732-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:38.851{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1663BE43D3B8B050E0D8CFFEA01CA8D,SHA256=D17931DF2084F7C877AB4C44B49078A80488F7EB5E1795CBA3FFDE9AADA7901E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:38.891{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E704ECFAC56264E1250F85B9B63C2EDB,SHA256=70646B4DF2A588F74B2655C26DAD937B3A7C078B19780150E64D92B8B667CE60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:39.951{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46212F30DF8C9BEBA62B5F5FAE3C3557,SHA256=2E9E18E835ACAADCAD76EAD784E10BF85CC7FD7B0B61F652AA068E5BAAE43B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000089976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:39.982{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9F69DA63A12E9E539671EAE211B7E3,SHA256=0F683E39267658D5ED4CA64A0F70B6DC586AB7C131FD8B3E990224C386C35EFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000089993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.995{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.983{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.977{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.952{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.942{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.892{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.879{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 354300x800000000000000089986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:38.173{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51686-false10.0.1.12-8000- 10341000x800000000000000089985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.859{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.851{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.838{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.825{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.802{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.790{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.776{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.758{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:40.751{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 23542300x8000000000000000121114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:41.029{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07754A128E48B2C37DC3E3DE2D894A4F,SHA256=977CC596A568FF8D532165C9EBDB269378B3462C56AC268F261BD22236D0E5E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.069{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.065{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.062{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 23542300x800000000000000090004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.058{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB9E331276500F5E277693D1784A877,SHA256=DEE8AFA727C0E420B330788CB852D8E689C3F21296576FE75841BF1B060BC8B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.055{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.053{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.042{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.042{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.040{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.035{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.032{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.030{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.027{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000089994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:41.009{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 354300x8000000000000000121116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:41.203{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:42.116{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCE93C84F0E66E84130DB79C66EE05E,SHA256=0BE72B65AFF9B789FE37945EF53FD52C18E605956D5974303CE0AB674E7703F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:42.898{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=70143E3EBE32A018CFECA8303BD11333,SHA256=DCE266405C3EDAC50D5E3051D5B558420DF8C7C98039CC25D17F98EB08E0781C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:42.024{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A18A04960903119771991CB35E70F784,SHA256=4FA69CD4C3D617A3BEAB9AF4CAE167BF177F0590C95D165DFEE0D6CB19964F3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:43.213{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FAEB0E0AE80016F67E130F9F38100A,SHA256=2B2FF19F6A0998744FE3EE0AA30D6B93A36B9EA432AEDC8A6CC68FAD45F3231B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:43.094{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D51AEEE28245920E67D321F46BECB3,SHA256=3339485296D7299848D2ED69E470C622179B3AA67E6D23D7DBEBE661A8F4D27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:44.317{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2A6AE3EDE7629A5247903B3F4CE062,SHA256=2EE5FF1C78639BD836C24523E4AFF382E4DE1CEB28A0B6FBD4F71A021CDDA5F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:44.178{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC952FD106F87B557974D1C75085E158,SHA256=BE15957B889EB529A28DBC4B499347DDE2E10E9370127EB3D57E3702D90054D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:45.260{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5ABBD23334D7DDAA8BFF5265BD7F21E,SHA256=D3C518FCA3ADC43600C46E4064A773B18D48D13DFB990B6F18357A9ED7440519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:45.404{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C28B6111CFD4555716CABE5F2739A23,SHA256=6AD326F4720AD7F7531AEB593AD777362C8020F66ECC0A20DB2C21B54E6E6B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:46.359{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2C093BD175FA919E988463D499A557,SHA256=AE55B4C541302C9C18A721653C8300B550F48DC928223DF1F37BD663F4DFEE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:46.486{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126A695E9ED3359D91314337FFEEE385,SHA256=9EB1CC0726049B96D1B4944C3D08E0EF6B71E525C561B60CF3AF464DE3A5C95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:47.434{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB84A7C89214E6208D66D987EB7D46B1,SHA256=0333C1170F0D863A48280A66F85EEBDC9EBDCFBB7F105BAC65C14E8389AC4086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:47.567{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EED1DBBF4A48BAB24CC4C016CF823C,SHA256=EB7C2E3C8CA6D5BB0E6461ECFD343EC94BE579ACACBE47D542D46A0B3479B743,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:44.160{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51687-false10.0.1.12-8000- 23542300x800000000000000090016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:48.512{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3BA010ABF623DCB91443E8EE668CB4,SHA256=272D60C5375DA0D99FB909085C1EA908C727DB5EE3C3E28AA7B39DE85DF92896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:48.653{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43D599B5665195F401337B73F2DAF03,SHA256=443A62C856FD3C45FC4171E538136D1C8A79FE11EA95242B58F03A6C5A32E8C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:46.348{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000090017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:49.593{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EDA967D01E9E6559F29343880411E9,SHA256=8B9B1D3F58855E158EC494042E4566692FA0AEF68FE0FA6DBF328AF0803FD54F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.995{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x8000000000000000121149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.702{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE945C717B1CD85026B44E0F0C18415,SHA256=5FE2D064C3B4B42EFF13A78A93E0AF3A96E60BEB58B4D240738D550ED1BD19D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.416{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.412{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.409{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.404{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.395{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.385{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.381{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.366{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.350{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.346{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.339{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.335{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.328{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.313{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.308{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.297{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.287{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.275{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.258{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.217{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.204{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.189{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.170{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.114{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:49.111{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000090018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:50.675{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24987B9F9321697873ABF893F62E35A7,SHA256=5F4E0712C31262DC0EEB20822FA8FE8A7FF4E4BFE64AE5A000CBD30AAE85A6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:50.758{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A219ABD9782D1F608BDDCDB896EC539,SHA256=D876B8316D4E2AD4EA264C887A0E7BACB8B86B4AE4D60888796BF5665654C928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:51.766{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A9B980F574E86472C50A504DCBBF0B,SHA256=F6E76B44161D57F73BEE7AED2805208EAA135CF5B25B07547F603A89B7174232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:51.830{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1346351FA87D03B5BA2E2CB46C8E73,SHA256=2391FB3E21619C1DC2E8F9DC56E78208D499BF87FFF429B47523DCE9C312BAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:51.376{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4CE7936638357EBF332E6737496ADC59,SHA256=3B1D0DEBB9043FC37446ECBEBDDD35292E02D831A0CC2934339A60EBC5BA67AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:51.047{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=07325061800BC977C3C3FD8E4E39A928,SHA256=26EB2A4AA22E2ECE79CB76E9F09B2635C8365C6750B8D2CB80E29013909036D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:52.853{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CC2A1294A1C6B0855EF0A2245820E9C,SHA256=ED70E436209110B3B7C874028BA6B1CCB3CB2666F0B69DB22A7E5E166E41FF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.873{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2D573D0599F9AE773A558442727925,SHA256=BEAE982CB6B49AB99E8EBC3B8F3C64FAC2616EB4AC3CF1395AF2D568260C2934,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.759{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.740{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.739{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.735{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.730{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.689{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.666{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.625{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.615{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.590{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.573{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.570{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.565{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.561{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.558{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.556{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.552{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.040{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.039{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 10341000x8000000000000000121153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.037{3F28B219-14C1-63EE-EE00-00000000BA02}54885572C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580190) 23542300x800000000000000090024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:53.956{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3D9932E0EA16F47E6839A02262C12A8,SHA256=9E75D3A7351865F27FD334654D1317EEC8ADE238C7F71D9812216A9AE1860C82,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:49.167{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51688-false10.0.1.12-8000- 10341000x8000000000000000121207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.757{3F28B219-1285-63EE-0F00-00000000BA02}3045884C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.757{3F28B219-1285-63EE-0F00-00000000BA02}3045884C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.554{3F28B219-1285-63EE-0D00-00000000BA02}892916C:\Windows\system32\svchost.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:53.117{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EAAC13190C354DF8425F4FC2F31402C0,SHA256=2BA0A0BF34BDE6033D5A39DF95A9A80619F0EA0C6F6D531F11E1561289818F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:54.870{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=A928F93A398EDCFECD2110C541120E19,SHA256=BEE4299CF9BE70E1A0560CF4F7CFAA6EA39449E843E7243E3A42BB77AAA5F600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:54.870{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2087D5185CEFA8B57B89AA0A1447582D,SHA256=1DC8ABFC64B0E00A12AC1D9B716BC8DF53435FABC4448278BF2DEB50AF2F031E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:52.302{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:54.159{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E40DBFBE4310429D6CD7363AD32429E,SHA256=D8FDE0D63ADF560CBAD75D6E50C008B67DD0562CA48C8D989E17BF9810D82323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:55.035{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D885FACD924DCD67B734C47216E578CD,SHA256=637F1975867F2AA4BB04A9485E8C096F2A2B0D5EE76A8CACBCE8B8C0B9CB684A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:55.979{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\1.ps1@2023-02-16_141454MD5=4A7EE8A7F40042E08117364702D16734,SHA256=562C44D5AC9899820B987139BED6479CE51F2682AC9E65E81EE97A080684E71B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000121214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:55.963{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps12023-02-16 11:56:09.298 23542300x8000000000000000121213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:55.963{3F28B219-15C5-63EE-3701-00000000BA02}5348ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.ps1MD5=C6E3016716E4D824C1FCBD771BF4DE03,SHA256=40C8B67A6B71F7630D58221ECBB5A8F07F554E8A21EE91F36BEDDAC06696072E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:55.282{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F378A234989AADC76137B2E1E8633B06,SHA256=C71A1E70BF95AB84C197A1DEEE2BAB1C08E379E6B16BD0FBDB819B48E9115E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:56.131{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F2AEDFF3E7CFFC6FB21A754BD2A381,SHA256=5BC58E97D21E5AC835C77EF503C68E0A479B14F95B58D32AA94354E64026E233,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:56.916{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:56.361{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AC7A7DE89E7EC9309E96830C116FB6,SHA256=344B9BE99AF1F75813EDB710130BD368965419EB6DF7E29730FB88755947BFE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:54.347{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51689-false10.0.1.12-8000- 23542300x800000000000000090027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:57.207{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEC66F37234ECBFD2F5873D01AA8F9A,SHA256=854452EDCFC4F158BCDB1F343CB097BEE4C6F1B05CB511E7D3417B97CC8D87B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:57.452{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:57.452{3F28B219-14AE-63EE-D900-00000000BA02}50205336C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:57.452{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:57.452{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:57.452{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:57.452{3F28B219-14AE-63EE-D900-00000000BA02}50205788C:\Windows\Explorer.EXE{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:57.436{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2F00DE52179D300B6C47F75A1EC620,SHA256=FEF2CD9D1BDE223F029ED7B52E6DE14359EB1D2594BE3B35E5E414654A4D470C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:58.296{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7675DD690A420CE458FF953F6F3651,SHA256=7B3BC15BFB748DEF45E6051029EE643739E23CCBBCC30538B53D43D6ED75C017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.833{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=746760AE81871197F8898B4496AFEEDA,SHA256=BC917B2ACAB156D13A07DA09F33E6DF1193B11352F4C98604758256802832EDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.580{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.580{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.580{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.548{3F28B219-3902-63EE-8205-00000000BA02}58406692C:\Windows\system32\conhost.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.548{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.548{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.548{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.548{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.548{3F28B219-14A8-63EE-C600-00000000BA02}4366328C:\Windows\system32\csrss.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.548{3F28B219-3902-63EE-8105-00000000BA02}68127036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a1550634(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d34cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3108(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a149b9f6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a099007a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09f3aec(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d598c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09c66ac(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3bee(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3760(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d34cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3108(wow64) 154100x8000000000000000121235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.553{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe"C:\Temp\ATTACKRANGE\Administrator{3F28B219-14AB-63EE-60D5-0D0000000000}0xdd5602HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000121234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.533{3F28B219-1283-63EE-0B00-00000000BA02}628676C:\Windows\system32\lsass.exe{3F28B219-3A62-63EE-AE05-00000000BA02}3916C:\Windows\system32\whoami.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.533{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCEC2059B4E3BAB3CEF99B77F2A9774,SHA256=C74C933DE7007B385AFB26673B99DC563B842B4974466608D4EC89D287F56C1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.517{3F28B219-3902-63EE-8205-00000000BA02}58406692C:\Windows\system32\conhost.exe{3F28B219-3A62-63EE-AE05-00000000BA02}3916C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.517{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.517{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.517{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.517{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.517{3F28B219-14A8-63EE-C600-00000000BA02}4363652C:\Windows\system32\csrss.exe{3F28B219-3A62-63EE-AE05-00000000BA02}3916C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.517{3F28B219-3902-63EE-8105-00000000BA02}68127036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-3A62-63EE-AE05-00000000BA02}3916C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a1550634(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d34cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3108(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a149b9f6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a099007a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09f3aec(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d598c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09c66ac(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3bee(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3760(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d34cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3108(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a149b9f6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a099007a(wow64) 154100x8000000000000000121225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.521{3F28B219-3A62-63EE-AE05-00000000BA02}3916C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Temp\ATTACKRANGE\Administrator{3F28B219-14AB-63EE-60D5-0D0000000000}0xdd5602HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x8000000000000000121282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:58.238{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.621{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792054B7D587A60F1B7FF8C59E11CB32,SHA256=55A5D5375878C453185CF337C9F9DFB2305499E6CAC3381930E3F2DC341243C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.574{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CDD584C13EFD2CA235585011D583B04,SHA256=7C7B8030DDE07F2F1E292F70EB3A73D008C210AD2C42565EBF3134002E38DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.558{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C8FC7AA22DD0BA8E37E0911876032A7,SHA256=23ED90D6BFD96E92965039B6579210E58EA3452D9714B07C60722F338323D51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:14:59.395{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3113E3BB9184C3CCBF410FD42DA4F67C,SHA256=E54754C516B0C34F9322F5F3ED13F461B5A5206FEA36F210C15F34B965C95A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.481{3F28B219-3902-63EE-8205-00000000BA02}58406692C:\Windows\system32\conhost.exe{3F28B219-3A63-63EE-B005-00000000BA02}6908C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.481{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.481{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.481{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.481{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.481{3F28B219-14A8-63EE-C600-00000000BA02}4366328C:\Windows\system32\csrss.exe{3F28B219-3A63-63EE-B005-00000000BA02}6908C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.481{3F28B219-3902-63EE-8105-00000000BA02}68127036C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{3F28B219-3A63-63EE-B005-00000000BA02}6908C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+383fe6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\5a48f1d1e4df1672621928dd2f021cd9\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a1550634(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d34cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3108(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a149b9f6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a099007a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09f3aec(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d5afb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d598c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09c66ac(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3bee(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3760(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d34cd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09d3108(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a149b9f6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a099007a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\b1e407a16b6544916bc3fce1a7a4c7f0\System.Management.Automation.ni.dll+a09f3aec(wow64) 154100x8000000000000000121271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.482{3F28B219-3A63-63EE-B005-00000000BA02}6908C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exe"C:\Windows\system32\schtasks.exe" /create /xml C:\Users\Administrator\AppData\Roaming/XmlSchemaMicrosoftXsd.xml /tnC:\Temp\ATTACKRANGE\Administrator{3F28B219-14AB-63EE-60D5-0D0000000000}0xdd5602HighMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000121270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.430{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C695087917E54D2265C1BA0556B3E274,SHA256=74A285479DE32E31CC690C04FDC90F03B4F24340DA2357DEA13DD6B36D1C40A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.430{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EDF7260FD25E7DD301A451DEF094E19,SHA256=135165045B35D67EFC8C820B42157A8462107DD9E57FDA216DECE0BF4378517C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.383{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E6394635D007C63CBB3ECE61290045,SHA256=F7611E84CE273A2921B39F1365BC62FBE7F75D6F6773322CE59C22035BD1D994,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.368{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.321{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.321{3F28B219-1283-63EE-0B00-00000000BA02}6284564C:\Windows\system32\lsass.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.290{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAA79A03B1D77690B89E972D05B81F84,SHA256=1DAC8BDE26B87DE6071DB88EEF1F78F724AD345B1417C84AAE59CDD15C0FAF16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.207{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.207{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.207{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A62-63EE-AF05-00000000BA02}5496C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.166{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0700-00000000BA02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.166{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0700-00000000BA02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.166{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0700-00000000BA02}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.163{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0A00-00000000BA02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.161{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0A00-00000000BA02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.161{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0A00-00000000BA02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.159{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.159{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.159{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000121251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.152{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=282C5881EDE28C29277A61337B2A4ADD,SHA256=D7ACFAC7EB455623310A7C724EA03573CAF070FE38408E6BAEEB36706046CC16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.125{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.125{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.125{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000121247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.123{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C9C5CAAB7A78DFF62E0C16607C88D11,SHA256=4619ED0741C634F3F62B5319E63B4BD8A02FB6582ED1EABA72D036C11FA8F6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:00.675{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F6AD6F4B02D1E65F329B999FFD8FA4,SHA256=44348B819FCCE23A1B1FD58783CAF98463EE3D990718CB75187A54298EBD14A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.539{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local62449- 10341000x800000000000000090061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.991{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.989{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.986{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.984{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.983{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.981{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.979{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.978{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.976{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x800000000000000090052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.974{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.973{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.971{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.968{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.953{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.951{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.943{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.941{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.930{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.920{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.888{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.875{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.869{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.858{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.842{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.835{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.818{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.802{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.787{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.769{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 10341000x800000000000000090032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.760{A847701F-1281-63EE-1E00-00000000BB02}19762512C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438850) 23542300x800000000000000090031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.476{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F2547C366E099E804D7B440027CA49,SHA256=37CAA987EA296BE4149DD59EEB7C23C3930AC517683F41B23831896B7F91A54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:01.971{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE2CCBAC5F003A737BAC0AD23937347,SHA256=C23F27E953A4B6C5E7448BC64D6DEC0380814A9A427846A5614AD03D9CEC7032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:01.622{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F917217EA36E58D19D6BF7FD3AA0044B,SHA256=A4C990E15BE88175EE3B1AD9359B5BF98423EAB17165056E94775659197234AE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000121285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:14:59.553{3F28B219-3902-63EE-8105-00000000BA02}6812wintervivern.com9003-C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000090065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:02.716{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEE47E997787AE5055022C65C735ABF,SHA256=6359269D97D90A215198DF961CF5C34AC219A9AF2AD1010531DA730D18148111,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.282{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51691-false10.0.1.12-8000- 354300x800000000000000090063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:00.061{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51690-false10.0.1.12-8089- 23542300x800000000000000090066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:03.771{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D3E316BA5E065F0E55D5148D5FA1B7,SHA256=DBA4F198957FC6AE6A36A6410F1C17B5B322869F6720331DE2345E1450086A86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:03.870{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:03.870{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:03.038{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A7F9EA4734B1CC531B9C8DD1BBB7A4,SHA256=5D9F3C304EBDB2B7B3B6879FA4898A095B1A1EF1EB8266E6B1BB3C84CDA24BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:04.846{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE93F7C0BFB7A3B34386C24253115E22,SHA256=F4A3C46B3F4D4B8288EF24EFEA3FAF316CAACB31943467712BBEEE5A79189AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:04.126{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249E1EC21CE589264B490F26025B0E16,SHA256=26028FD239387CB85231CCE6DB98721728A274A8CA8D513A938071AD2B838D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:05.923{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249F2A864636B2F3A02F7565444D322D,SHA256=07A2E689589A81F44EBDFC9FEC0C257F950C238583CA80865E0001F4A8AAECD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:05.809{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1280-63EE-0100-00000000BA02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000121293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:05.370{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:05.370{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:05.214{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123B947A4A614D40E1BBCD6BCA9CC16B,SHA256=04F397DABDCA6121BB9A0A514C26BAF8B7A3C646015A1497C361E7D1C773580D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:05.840{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-165MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:06.991{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420049D639730FA3338C8898B79C4998,SHA256=A931D4B7227DF58E0F1D65D7F0439418358A63134CD3CCB99D1874EE848B3679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:06.877{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE57FE774414E3AFD578E25D7991BFCB,SHA256=9BE7B670BD0B485CCDD4CA56B56E9AB396C0AA8A245717923866C14358AE6452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:06.306{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ECB65821F1EFFCE5295F29B0FA5D78,SHA256=F861217C00C0E4E3C7A15F808F72772C38E989FA690CB0287E05FF87DD32AF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:06.839{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:03.334{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000121302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:05.967{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64738-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 354300x8000000000000000121301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:05.967{3F28B219-1280-63EE-0100-00000000BA02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64738-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local445microsoft-ds 23542300x8000000000000000121300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:07.386{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD876AEE2BB0DFCB63DB6967B101731C,SHA256=84B812B70733B1C121FA4059BC7E0BF44A486E33233A8DC59331A8C426D589A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:07.338{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:07.338{3F28B219-1285-63EE-0D00-00000000BA02}8924496C:\Windows\system32\svchost.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:07.697{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:08.450{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A3FD392C73898EE72F8CEB04A8868F,SHA256=76B0896EF8D274F1D12A8D9B61BB7AEB1E046B7A22AEDB6F783DDB7D91D3CEAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:05.331{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51692-false10.0.1.12-8000- 23542300x800000000000000090073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:08.052{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3070664A75831BCBCDF8E65B94F0156F,SHA256=0C2F12F5EAC7439F31C463CF30927988795EF6FC8DD7309F5207145BC42ABBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.514{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FCC75D134B23CD13211F9C6AF71F2F,SHA256=241E01D90898B52E26D033C148E30261954333EC71BE7E36BCBBE8A13306CF60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.495{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.486{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.481{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.475{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.468{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.459{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.453{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000090075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:09.150{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49951458CA9D268E13A0EC8F924CC115,SHA256=BF74532FD340A7E4D407097B6AA8CA62139F3DA94DCFBDA901921DD134F630A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.437{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.423{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.412{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.408{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.399{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.375{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.365{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.351{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.325{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.307{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.288{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.233{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.221{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.205{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.184{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.121{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.117{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000121334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:10.938{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:09.257{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:10.680{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AF9E04F2D1B804ADC01977FAA15E0854,SHA256=EBF350FEA8E0C2CACEAC2C4358550E0F5F1D4013B72104F41F69F78C8832A94A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:10.546{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BAA46D96EF87D553D7F85E982B10404,SHA256=B84BF7CD5E04AB6691BABB798E235B608ADE1E80FCC1990EB330E3362CC31417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.730{A847701F-3A6E-63EE-3505-00000000BB02}34963324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A6E-63EE-3505-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3A6E-63EE-3505-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.480{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A6E-63EE-3505-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.481{A847701F-3A6E-63EE-3505-00000000BB02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:10.230{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15913D383EB734A31BCF33989B63B816,SHA256=5CBBDE20DEF1A86B1A7F5256D15A1908B90F242C8D126809AA6B346F548562FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:10.086{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000090106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.981{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FC722207032C8C80BEF212BB125C1996,SHA256=7F93211E73EC65992115E65157628E56E65343EA060A437A3AA5A17324830F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.664{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC5FC18547F18D685ED43761E66614F,SHA256=AD95F3149E8B06488881BE390B5898803ECC221DD543DE2C956EA83D75912017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.664{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95BB61DB87FAE16235971379E63C399F,SHA256=1314537C1DC67FD30DA1E120E41F8C826DEE017BDF4CFAA68D143B47A91405CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:11.636{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B1EA8BFE4DBD22E617999C68C987AF,SHA256=D071428A06B628D1147D783039BB59740FE046EA5506D18B73FB9467D62828D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A6F-63EE-3605-00000000BB02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3A6F-63EE-3605-00000000BB02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.164{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A6F-63EE-3605-00000000BB02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.165{A847701F-3A6F-63EE-3605-00000000BB02}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:12.768{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81269380FBA3816E5C7614573CDAEA79,SHA256=3D62A494C80323F52D227133F1CDB6D9F3AB33F9337551FECDB93ECDB550AA31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:11.081{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000121356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.817{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.800{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.798{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.794{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.788{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.752{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.724{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000121349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.715{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B9F9C399E2613D66F5CD080B051029,SHA256=809EA740171012629E4EBEA1A373D16C5C6557860EE9A24A071B2D490363A4D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.669{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.653{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.636{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.629{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.624{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.620{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.616{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.614{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.610{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.099{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.098{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:12.097{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000090123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.880{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30976E9CCB420E8D6A6DD613ABB80B2,SHA256=425B09DCAD59E9F7102F1DCF52929E5F27104292D947A7CD7A3CE9004D362638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:13.674{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F162FDF977E6D19F315D6B5A3A79B7,SHA256=85C75E452E56CDC61272B784690F5A098E98930AAA77F2BD9557D0521B1E531F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:11.246{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51693-false10.0.1.12-8000- 10341000x800000000000000090121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A71-63EE-3705-00000000BB02}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3A71-63EE-3705-00000000BB02}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.583{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A71-63EE-3705-00000000BB02}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.584{A847701F-3A71-63EE-3705-00000000BB02}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:13.052{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2DBC68908340280E7B068CBF0E34146D,SHA256=5C38E4317529400374CF71371BB28FD2383EF102660BC81D52FF0CC1030A7CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.967{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE207514DFB66D73E5038EF8A25B353C,SHA256=EAFA33075667025560AD1849A995DCEB9E9F3357015EE96AE2E4A2AAC1C30877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.960{A847701F-3A72-63EE-3805-00000000BB02}40442280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:14.765{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5F97965A00F21ECAFA2396E1B20141,SHA256=5553F8F5E1322787452F909AA70BF7AB0146D9BCB4EB0E736AF67DAC73ECD162,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A72-63EE-3805-00000000BB02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3A72-63EE-3805-00000000BB02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.692{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A72-63EE-3805-00000000BB02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:14.693{A847701F-3A72-63EE-3805-00000000BB02}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:15.848{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D75D3F2548CC27D27AF054264D6571,SHA256=2A353034523A761D6BF118F267F14FE5028125F7277EB42BABDD5132D545613F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A73-63EE-3A05-00000000BB02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3A73-63EE-3A05-00000000BB02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.846{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A73-63EE-3A05-00000000BB02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.847{A847701F-3A73-63EE-3A05-00000000BB02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.589{A847701F-3A73-63EE-3905-00000000BB02}7363500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A73-63EE-3905-00000000BB02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3A73-63EE-3905-00000000BB02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.321{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A73-63EE-3905-00000000BB02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:15.322{A847701F-3A73-63EE-3905-00000000BB02}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:16.930{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4681E1F3165805B9958B311E08FBD03A,SHA256=16B648A3305A35271FEBFCE80FEE506EC554E53098A9D331096084AB2D3FF390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:16.112{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE74CFDFF0EB9DA75288EFF6546E8329,SHA256=9C8C68FBFE61BC76D8CAA9D347E9B3235D23844CC0C2499176E941D44B660EA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:16.034{A847701F-3A73-63EE-3A05-00000000BB02}2328400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:17.111{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7177042ED118B2257EC8FDF4AB87E2,SHA256=42C8BDC1206B5447A63A9811827A86954ADF5F4F98697E6FA60057A5E48E0FE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:17.682{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4538BF1ADEC0A66458516B5E650E279,SHA256=62390B7E10142B805A662AD255E63D59CE8A8A7835B53410FE64C293C0556448,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:15.181{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000090168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:17.002{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FC72795119CF606EB166B5860156EFE,SHA256=EAC48FCFFD88EAC3F2B294A2DB62FB77631BE5CD8D7E980CF0231D363D0ED288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3A76-63EE-3B05-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-127E-63EE-0500-00000000BB02}4122040C:\Windows\system32\csrss.exe{A847701F-3A76-63EE-3B05-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.844{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3A76-63EE-3B05-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.845{A847701F-3A76-63EE-3B05-00000000BB02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:18.189{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352816CD39CC360446B2F289DCCA7F01,SHA256=07CB7E9434CF76013EAE9BC09B8FA2D75A22C3429A872C65575AAF996E884D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:18.003{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A537646EF3408FCD56F2A063E998269,SHA256=F1BD8BBB02EFADAEFFB7A329315A26EE49D290F54513984511A2EBAA09885616,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:17.244{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51694-false10.0.1.12-8000- 23542300x800000000000000090184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:19.274{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF384B4382E9D62B7C441098C2CC950,SHA256=6AC626876034678DD336E7015881B236C52863935A608DF93EFDFD760C632F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:19.087{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A122C7B44BA0F6173E84C4F1F00ABE6,SHA256=6B1C8A83189CBB3FE2B175EB3155B6519FC64602AAC0E75B454650E9F49BCA2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.886{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.884{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.882{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.880{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.879{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.877{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.877{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.876{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.874{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.872{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.870{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.868{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.861{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.859{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.853{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.851{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.835{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.829{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.810{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.804{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.798{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.793{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.788{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.782{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.776{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.770{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.765{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.757{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 10341000x800000000000000090187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.755{A847701F-1281-63EE-1E00-00000000BB02}19762508C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012438610) 23542300x800000000000000090186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:20.363{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1784CF6AB32100ADA51F0D49F753E316,SHA256=BB58E79657AEDB9D1EE125DF74B4492BAD32F1FC05FEE5EFBC445F3BAC91A838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.726{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E611372BD6300C44BB1C01A30444A727,SHA256=8ABE571866BAF071C8DD2264DEFC1A5C4C4948EE4F85D3F05153F08F4071AC34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.632{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A78-63EE-B105-00000000BA02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.632{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.632{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.632{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.632{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.632{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3A78-63EE-B105-00000000BA02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.632{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A78-63EE-B105-00000000BA02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.633{3F28B219-3A78-63EE-B105-00000000BA02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.181{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9855785888F6BFC983C531CB3F6576FE,SHA256=8FFB5610311FF8ACBBF046782E15F1BFAAA664EFDFE5CA962939E83B38A22682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.957{3F28B219-3A79-63EE-B305-00000000BA02}65246204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.730{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A79-63EE-B305-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.730{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.730{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.730{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.730{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.730{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A79-63EE-B305-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.730{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A79-63EE-B305-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.731{3F28B219-3A79-63EE-B305-00000000BA02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.424{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D9F45364AE24418CD32233FBA240DD84,SHA256=B41999783D00E99B19F363218BF7FC5717666E1938F8F13F5B4E13AA2B39B150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.282{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D1FC9F6C57BA4336832B9F79D51485,SHA256=E31EC491099420354EBA12F870D57ECBF682B99A95FE6082B7975BA741803B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.270{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-165MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:21.690{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E7AF9019AC1ABEA08293A0427D91B9,SHA256=9191296ABE11613CD92263256BAFA7F1205C7AEAA2499C26E10918B8B61425A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.125{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A79-63EE-B205-00000000BA02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.125{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.125{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.125{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.125{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.125{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3A79-63EE-B205-00000000BA02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.125{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A79-63EE-B205-00000000BA02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:21.126{3F28B219-3A79-63EE-B205-00000000BA02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:22.737{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398E6D49C6D97B118BCB207067A1D143,SHA256=BAAD45B75B50ED81B0E154162A77393EC60D402AEB528227A9BCA2011DD63F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A7A-63EE-B405-00000000BA02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3A7A-63EE-B405-00000000BA02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A7A-63EE-B405-00000000BA02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.849{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=746F219D3E04C7B0A3D5834CAB3F3F33,SHA256=A61FC63EF1994DEFE7B2DBFA1940F726A0650ECD033BB2759E9011CD7B345CD4,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000121399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.852{3F28B219-3A7A-63EE-B405-00000000BA02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.364{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1E4B7B7C29D85FECF491EF671EE046,SHA256=3C1BD4C5CDA07C4EE6702445610DF3F9B0791BD6E1A0A85D967C8A6B2FEAF057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:22.282{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-166MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:20.417{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64742-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000090218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:23.825{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12439C3ED75E1B852E1309FAED41651,SHA256=430360254F06BF91374FDE7FD2D76DDD789D583F77A7505BFDE48600F88706D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.953{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A7B-63EE-B505-00000000BA02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.953{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.953{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3A7B-63EE-B505-00000000BA02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.953{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A7B-63EE-B505-00000000BA02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.954{3F28B219-3A7B-63EE-B505-00000000BA02}4736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.455{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C98A9C9874FEC131E559F6F58A14EA1,SHA256=0828300241A2E9084A56CD2CFA3E3C25AD8F599818152C0D61A506248B7E196C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.208{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=584BCE363CCD3AAE3CF77EBCDA4B7E31,SHA256=97BA668B4FFB499E5619A71382E5B212100EB75E438E17014A810C9C0C1CABDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.177{3F28B219-3A7A-63EE-B405-00000000BA02}52883080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:24.906{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301A6EDA79C20F75EDD26E564AB78EFE,SHA256=21F277AEF0CA5871C319BB2D875B189E4619095B8E65F48EEA8B24FE53AAC2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.624{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A7C-63EE-B605-00000000BA02}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.624{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.624{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.624{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.624{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.624{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A7C-63EE-B605-00000000BA02}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.624{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A7C-63EE-B605-00000000BA02}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.625{3F28B219-3A7C-63EE-B605-00000000BA02}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.561{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45F4895B774E903C662D19B4840BB48,SHA256=18E370363C2EEE59A44C2F229A0A7D7FBA07426B5E0DF02473C3B1FCC17E1A87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:22.345{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51695-false10.0.1.12-8000- 10341000x8000000000000000121419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:24.187{3F28B219-3A7B-63EE-B505-00000000BA02}4736864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:25.631{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C984FBC1A5D18B47E15288DEB687ACF,SHA256=CA797B02DBAFC73D307B3B35B92DFF86625B980A54BC2FC15DB9D0A5B3430C2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.587{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64743-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000121430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:23.587{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64743-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000121429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:25.045{3F28B219-3A7C-63EE-B605-00000000BA02}25285596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.725{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99918E95C9CEF5F2A09DCC63272EF379,SHA256=31918BCB89F6EC4C93A8A00D98DC53B149B9B66D92704CEEBEB0EFA6F93940AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:26.002{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C6BC8198291B491B5E09767751F9C0,SHA256=B5EF043D6E703EC3301E45E04C735BE667811AB6A3F6EE0F4A47544ACC4144DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.538{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3A7E-63EE-B705-00000000BA02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.538{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.538{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.538{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.538{3F28B219-1282-63EE-0500-00000000BA02}412368C:\Windows\system32\csrss.exe{3F28B219-3A7E-63EE-B705-00000000BA02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.538{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.538{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3A7E-63EE-B705-00000000BA02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.539{3F28B219-3A7E-63EE-B705-00000000BA02}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:27.802{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309C1EF0BD3886F0CCFA11430AAEB759,SHA256=17EAA5C8B328E2CFEBB09C4FCD7CC2DEA235760DD89D86EEDAE7F0227C1B5924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:27.083{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946CD7B8F16A69C10691E66C241AF9F2,SHA256=0FF8BF5789372E34043B94526446DB7E2D1F7C48324A106A59C6316ED3EA924D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:28.890{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD148F2E64F46C0B6210507B54A59FC,SHA256=5699147CB5309801319E3214AED6B9CC59D85B9AB42AA847A3F53D8222F2A02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:28.188{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA30D59FC7634F1B33B65D6B594618D,SHA256=2CBA5ADB9C73E1B4B2E3F8EB070C11E41693197FADC9C254E923F17A18B2DAAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:26.281{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64744-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.928{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871B27D61DD08878566403D0FBC53051,SHA256=390275E95261B330E503EDF73C726C5483DDC8AD1FE2EDC3C0749C7DE5B1E1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:29.285{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEE4CA86F56B37054455F29C635991C,SHA256=BDADCE5F6BC378A3204E53852E9262A0562FE9D8B722CAE995C744557DD2D995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.558{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.549{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.543{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.536{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.521{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.498{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.493{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.476{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.465{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.460{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.457{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.453{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.438{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.414{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.407{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.398{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.377{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.354{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.317{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.274{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.262{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.249{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.236{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.139{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:29.128{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000121473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:30.960{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670B04D8CE621F0E01681651174E7230,SHA256=7DF9760ACBDF45D9DCED2F52D4C58AF8D495C45930C153A9CA871E34F2FF411E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:28.340{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51696-false10.0.1.12-8000- 23542300x800000000000000090225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:30.375{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6013277B8A21BBDDB1D17FD8027BE5A0,SHA256=64B3D681AD3628CBCB6251BFF8C58675337017ACB18AC539382829222CD73C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:30.589{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75DDA8E658894A5532BB2D6F65CB22DE,SHA256=5EA58499BD3CF8F1B940D21E7E658530BD373BD4B84E5D1DB59C62B7E22D3E03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:30.080{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000090227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:31.456{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA451B9DAF4BDA03E57796480EDCC60,SHA256=A8A94717BD8D506A3C57381C4368D779DBE45B2D7767A48FAFD59B8DD20E05DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:32.528{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AD3DC1C7B6808F75E1BBD027DCC715,SHA256=655A451CE53DCADD69D4BDA5DA96CB349B4F16036251A8A955353DC3960D2E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.783{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.768{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.764{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.758{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.755{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.729{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.710{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.675{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.667{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.650{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.643{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.641{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.639{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.635{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.633{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.631{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.627{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.553{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.120{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.119{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.118{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000121474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:32.040{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EEA846697D248EE4F9C29F380F45ED,SHA256=FBABE338E092874F8F7A628B2CA07D46BCDC059ADB1829DB36A15625F78BD291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:33.608{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DC6715F5D5DB6489F25886D26C973E,SHA256=1BDA0B796417A69371935E4DE34072E1BC73C8F264A5400B486AC4AB66B70779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:31.408{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64745-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:33.106{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B67FB757564EC3F7495DBF732150A5,SHA256=9B0083B141B70A6E92DABC872C187D62FA636B313B9195A81AB8EC6EAC5C42CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:34.681{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6E49EF0525BD8DF12A25AD3171E15E,SHA256=25965F2465CE77A4A556CF7474D47EE4BA4B6E479877E7AF356DC9765F5C6B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:34.172{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA04DF08D4537F0E94B3F5CFFE12F8D8,SHA256=25F397A8051B055AF155F6978A3FA56AEE6CF661230F4DF999EA1676A251A430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:35.766{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F2DDB6E7F04E839EBCDE67261E4614,SHA256=5CA3BEFAA1DBA924FBDC75861BAE75D77331D8ABE26F9234ED99F4F7BCEBB273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:35.262{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74C54F4CEAE00D7FCD6E000FD239BF9,SHA256=49071CFE3F45BBA9397DB3D715FA793D94385BADBF893DF979FDE29BDFD7CDB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:34.243{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51697-false10.0.1.12-8000- 23542300x800000000000000090232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:36.834{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21413C1DDA4EB9B2106DE56585C3C74,SHA256=9A06827C484F82DEDDF92C6B8751FFB4B2D96D96C8C230CBD2E0CFCB5E087C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:36.342{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72120E78F3571FF8C43B4D654CF99471,SHA256=16ED39D9CA864CB48E90FC833FB6FC5B05E4C8A2A5D6099D6E20E622A57D8A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:37.904{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BD54A73A7DB45BE8B4635B9DE55082,SHA256=8AC283242B6B442D9A7BF6F6D271197848DF924252B6485D9487959C54405239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:37.423{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000F083D14E39A733B77FFC7C099D640,SHA256=C6AD1282EC3C257CA06798A65C396540BDE60BDEAE8C0A193B42973D82CE1848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:38.511{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CACEC579B955753E6B8AE3E042BB0C,SHA256=005BDCA03476C315016ACB385D6AC5A3342D77385AB013B92C506BB3BF69736B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:39.587{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C219D5D8E004F3D39026AC0DE51F4B5,SHA256=958C6492F94DE8723C05A7448673E30C702C3BCD9397F0FEEC405E3FCCC1393C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:39.001{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EB5FA97773591FB181FE292416A9E8,SHA256=B3234759F7E3BC7DD0E14DF15453C378DF8B6E4D93A9351876DE55AA05FA60BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:37.408{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64746-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:40.686{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4A8AE4466FF2F50D76DE139691BA11,SHA256=BAC504BF425F5105B7F0293ABE49EC23832C36439183E22C226551281EABAC13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:40.637{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9EF13AECD2A3D71143DF19D4272C9D4,SHA256=3FBE9F23DEAD011D12CE49A4D4F0B5D9A2D1C89CE1F0364603D9B76257553989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.953{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.947{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.943{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.940{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.938{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.934{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.934{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.932{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.930{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.926{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.921{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.913{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.903{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.900{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.893{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.890{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.879{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.869{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.843{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.836{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.825{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.819{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.801{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.793{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.786{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.778{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.770{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.761{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.757{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 23542300x800000000000000090236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.088{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4423894773E471A03C23E83005F36DA,SHA256=2FAC590285638FB6248C86FA5DD6712B33F2110029B5515F3D3B58C86C240C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:41.657{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938696736B8CD8B270D36EF3587E3D05,SHA256=1B781C9945FD3036016663542488543E89432F7B73B8F2004912FF7A49A865E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:41.595{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B995C43782CD75594F86FD1EB3AC0F6,SHA256=D54A6B3A4DBE67CE7BD9F70E2D700F359C119352EC414A698FED7C9F55BC07C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:42.725{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F6AFF09A6DC55A56DFD26A24BF4FCA,SHA256=2641A1EEE0059F1AABC68C3FB6445E478BC208BC32E2CAAC316905498AAD0530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:42.674{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867D50FBBF8A3E5FA4C0CB7236A9E459,SHA256=9D28F509A18CC311419C6CABF99F79E3C0E6B2D0CDDB4E89A26AB82C7E5F2EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:43.771{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EBC55AADC6506988574DD836B1440F,SHA256=F9218ACCD0BC92EBD427FBB4C03A18872C6B753A2E2169CA4E1155D3E79B2555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:43.808{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4964685B3BD489A810730BFA7F761770,SHA256=B6B9F206FB92132940AC8FDE47AA29B26249A6D5DB5994523C75E3D9B328B879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:43.252{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF6960969EF274582FB7E546C871F4C5,SHA256=D7A48381C0E2F2C8DC54008A448369221FDFD69C9EDAD611316D193F7DFDFD56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:40.223{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51698-false10.0.1.12-8000- 23542300x8000000000000000121511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:44.892{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA013C56A302C1BAC9FBF864C1DC0D4,SHA256=A0290D35F494F013D06A4025E49810A89D1763E48B728BCBA1DA83D211A6CB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:44.846{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98A4AC8F83D361100410D32DF52847B,SHA256=DBD1180FC2363163B8BB5021E73F1508172896D5D98581CDE7AB4666048E4FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:43.288{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:45.982{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C175B42DF2FA112FC0DA8F068D374E36,SHA256=60524A470A3B392D9EBD6C7353ADAA4A4CCD175924A7D9582BF2C71A635A6DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:45.945{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438DF77ACFD0E763477C39524C09435C,SHA256=CD54AFE6B5194F20317B02BE2015B5380132F075FA3A4BA8FEBEDF217D6A8316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:47.075{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C3F23E62242DC549DBA36C6503B357,SHA256=45931304C8F2FE96650E702A80FB21043AD036E638CA6B287AB27F6D569F9E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:47.029{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2709B84EB868A6BE62F42B756371053F,SHA256=37C67AEE146B0047A6D800C358DFA6FBC259FE77E389D7DCFC21DAEE9A449A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:48.138{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450606D9A7F19D30F8EC336E258AD0A6,SHA256=12C5DCA96C4BCA3545BFF91066BF209592A87DEC0552C6ADD555EE8FB3A59755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:48.102{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CE76A614C94CA581DEB4F06EB4E956,SHA256=A7B915068D40D13046CC5F9231F920AC8E92F3215722F423790998611E008CAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:46.240{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51699-false10.0.1.12-8000- 23542300x800000000000000090275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:49.192{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DED84E02C436815B691C360F34A7FC7,SHA256=199EEE087B75BE077D53E502D145BC563A50CBBC38650EB5562CFFF32DE70D75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.913{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.377{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.369{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.367{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.361{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.355{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.346{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.343{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.329{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.321{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.318{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.316{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.314{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.306{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.288{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.282{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.271{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.258{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.243{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.231{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000121521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.208{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C38A3C0117F926C177DA57753BBC0B0D,SHA256=9347CC0BB2A9A5BA27A253BA19D4DD269E199A4C713414FA5B7A96E686F1B1E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.197{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.190{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.180{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.172{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.126{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:49.123{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 354300x8000000000000000121544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:48.328{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:50.661{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=364EC4137E590833F8BE2661D0B6B9A5,SHA256=CC7DD8D25F777443997F13B047290637756E368F174D33E4708A0AC3E90D911B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:50.231{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9068DCC55DC0A576865A9D104859FF,SHA256=F7464DC25125715D32873E7C2BEDD2E524A2CEA5982A57285BA49FA3D52B9C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:50.275{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D6D6C8B7ED2DA9ADF1EB7DFB1CB9FA7,SHA256=42F96DCA53ECC92B75E85F97EEFF79BDAEA41E8A86B1DF4B8D120BFA110789B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:51.946{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:51.945{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:51.943{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000121545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:51.412{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F9FE39752D4148F05B45F054D45DF6,SHA256=0FEEDE0FF9ECE04C21D24E2175AF0D73D4D3B469A3A16ECF1317408CE823F89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:51.367{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA77EB165572741A394D782254A0419,SHA256=3E5EAB7D479703EEED1D79D706FD7EBF6F5CDA59051C339CC45E6BA364A735DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:51.054{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CC2AD3B72471A796DACD6E1F36823576,SHA256=72110C5DD8F29350AC5F4AD8537415A63771355D1AF3F3793C3BBB0CA09D0589,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.578{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.568{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.567{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.563{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.560{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.544{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.531{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.504{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.494{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x8000000000000000121557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.489{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7FCF1EA2510BA08A2D1ABDCCB7B154,SHA256=0E0FD8EF4DD6B6FB96CF99E1D5098BDB32A20164AF42001A7B40AF14461F16C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.484{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.480{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.478{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.475{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.472{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.470{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.469{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 10341000x8000000000000000121549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:52.467{3F28B219-14C1-63EE-EE00-00000000BA02}54885632C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000135803D0) 23542300x800000000000000090280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:52.434{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E8C752E3E842963D82314AFA92931E,SHA256=1728A196CAE43F3CBF30B0F879A5131975BD4129186F9B660A5BF006D78A5691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:53.560{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DED61AA1BEC2174AF4903C37283678,SHA256=032CCA7D0221B4C78FC5485BE4A1DC00989928B1610C9E6E8F235A14D3F64F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:53.533{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821FF5540D9FE984E3D9B3E6DB26A157,SHA256=B826D50A5CF7962E9CB19DEB683E1BD2DEABD5606062E8D3B9D22631318D386D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:53.341{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B44D6538223A320C5DE39667D8F25FA1,SHA256=3E6EF44FF3EDEA46326C258CE09431963CBC1C36CDD80AF2E0FDBACD88D03578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:54.628{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AF7CFC7E1C60A96D047CFBA109B796,SHA256=EE3644F7A698638F084174434F07A30B1C98848E08C60A6AD5856517A43AA17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:54.882{3F28B219-1285-63EE-1100-00000000BA02}756NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=64FBFD4714B77063DD8B58D9538CB3FB,SHA256=7D4F7DCDFC20E772B35873CC38B6B78D1211F73FC2761C568F08CEC2C04BEBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:54.674{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B6BB1D3C0F0FF0E1D144B91E987135,SHA256=8460E9E7E8C6ABB782EAA004855462C5B46186DD936C9FFA8DA4AA2F8F1B348F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:55.722{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ABF2847F1F30840DB25C29F7C9522D,SHA256=8D790DCFB40D7EC3313B7ACFF6F6D751CCB20788211CBD99842D46D336BDE202,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:54.222{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:55.773{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833A8400A3C0822776C71709A63781A9,SHA256=2EF8E9166196D7CFD3FD30467B9DA1AE612F230EE17CFF0F9AB0A991CA4D63CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:52.135{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51700-false10.0.1.12-8000- 23542300x800000000000000090285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:56.797{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2EDBE85235A9D901C56ECB7828F14E,SHA256=CCB27D1EE00427B02E4242F577D6715AEE0FBBCEC49DEAA09423AA8E1965FC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:56.846{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B734722746CD51D2F06E1A4D5E5D4206,SHA256=A8FB47A399AB77D3523471D36755C7C64F56E06722871942A683FBD6BA56D4F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.934{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.934{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.934{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.933{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.933{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.933{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x8000000000000000121592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.926{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FFCEBF7443E65DF61E9170D0E6EDD3,SHA256=7935B3A022E0B26AF8AC46E9A20D4F3FEBA0AFB305A18341874E9B61666ABA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:57.883{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E9CFFD8D600D8DB7B723A7CFA6B6E2,SHA256=1A3CFEC5062C7EC4708D82FB26583498482747497FF8D1B9F8DB890004E3E556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.849{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.849{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.792{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.792{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.761{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.745{3F28B219-14A8-63EE-C600-00000000BA02}4364512C:\Windows\system32\csrss.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.745{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.745{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.745{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.745{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.745{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.745{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+415bd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.742{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe10.0.14393.5127 (rs1_release_inmarket.220514-1756)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{3F28B219-14AB-63EE-60D5-0D0000000000}0xdd5602HighMD5=FAED69010377AF73D19BF070833DA674,SHA256=094990F2727BAAFC51D74571EA32C18CEFCFB6C66B80EB91F3952C007CE9FC31,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000121578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:57.698{3F28B219-1285-63EE-0C00-00000000BA02}8324592C:\Windows\system32\svchost.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:58.970{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D9D37B226A56C698C04D7EC9BC8E8D,SHA256=9F6517D92D69400E6BE04AE9B0AE970D1EAF954EE0672A97A4502D4B1E83C09D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:58.777{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5570A3E03A16104DFA54D6DAEF937B1,SHA256=75EC363C7DACDB8F91D92AC0D418A5263BCF51FB1FAF084E3F9C55CB68D30A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:58.011{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=73D5C947E7C1AD192D02B4FEFB6A0E9A,SHA256=CCD4B0D5281BC0855171448FAB443681E95196CE14CF36195EDF355042470A76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:59.725{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000121603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:59.725{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 10341000x8000000000000000121602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:59.725{3F28B219-14C1-63EE-EE00-00000000BA02}54885660C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3A9D-63EE-B905-00000000BA02}6792C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080A90) 23542300x8000000000000000121601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:59.011{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A858D0BA43BA8604EE1A25EA58A4E1,SHA256=96E71005F9232773D83762860B9776D8AFB133A4E3EEBFDD26D875FF4D71CC80,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:15:57.352{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51701-false10.0.1.12-8000- 23542300x8000000000000000121606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:00.615{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A14BF9E41877A46CF703787806D70CD3,SHA256=C7480F1BD5A86D9575E94A62FE713C8FEE9223905D4847AFC1AA259167CD60FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:00.090{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E84AD96BB0DE9AA7F5F537F4CFBBC3C,SHA256=7CAE15B4FFA77EDA122B68CCD83676E674B912A52D8C863768F1DF7838A96760,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.995{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.992{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 23542300x800000000000000090316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.992{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.988{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.987{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.985{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.984{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.982{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.981{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.977{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.973{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.970{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.962{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.957{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.949{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.946{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.933{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.924{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.897{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.891{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.884{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.877{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.866{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.837{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.829{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.820{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.810{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 10341000x800000000000000090291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.787{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 10341000x800000000000000090290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.770{A847701F-1281-63EE-1E00-00000000BB02}19762872C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000128803D0) 23542300x800000000000000090289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.059{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36326A3B40C535C245F39B1C6FCFEEDB,SHA256=2C8970093D99D12B166A1A33582B0B2FD265FE0E7E99CF9BDF5C25650B468E5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:15:59.351{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:01.242{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233ED15FFC8067A509023DBFFC3F5D83,SHA256=15483A80222D147BF34F45860AC0F8A56BEFD84A5EB644D7507EAE37976498BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:01.261{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8620283DC67895F7C25E99494DFD67,SHA256=294B35AE4A28227923ECFA77198AE690E0A8E4EDDB22375DAA70AFBF1EA59D96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.999{A847701F-1281-63EE-1E00-00000000BB02}19764000C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000187B6190) 23542300x8000000000000000121609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:02.325{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBD1C2786DF8A4B721D49290EF8C67B,SHA256=E505A8B80CD1EC55CAA007032154FB58F3C6AC19C952272DF17C024C6EB20251,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:00.078{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51702-false10.0.1.12-8089- 23542300x800000000000000090321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:02.323{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0492DAA8B254FC87251A512F9DAECE,SHA256=1548CCC3499027CC47E99158F8C7FAEFCC8A8E828D7BF21030C4961A9A75B7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:03.402{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFBAFC89618EB351FDEA86646A2B89C,SHA256=B4B12EEB90E2D4C6F187C76781D83795964051A79C61A2F537F1EDA05D7707E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:03.397{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D13B901F2B65E4CB39FC0BA3452BB61,SHA256=9BC694D92805703A271A9477076CEE17582054CC92EE7F2B94808055CA3749E9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000121616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:16:04.528{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\90005E51-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_90005E51-0000-0000-0000-100000000000.XML 13241300x8000000000000000121615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:16:04.512{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9C56FEC4-DF75-4A6A-8202-93F7FB933FAC\Config SourceDWORD (0x00000001) 13241300x8000000000000000121614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-SetValue2023-02-16 14:16:04.512{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9C56FEC4-DF75-4A6A-8202-93F7FB933FAC\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9C56FEC4-DF75-4A6A-8202-93F7FB933FAC.XML 10341000x8000000000000000121613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:04.512{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:04.512{3F28B219-1283-63EE-0B00-00000000BA02}628824C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:04.481{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4AFE6A75F0C150BF23A046B2BF9B16,SHA256=24061BB32C71F72523DA89E20697FFF04250F4BBB9576B47DD1BD87D48573F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:04.470{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC6AB39B89A769C92860DED9B60B3AB,SHA256=DF6B745E5DFA8A54D240143D5CC007D5850FD46A5ED726BDC978E3E9E0D13039,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:03.252{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51703-false10.0.1.12-8000- 23542300x800000000000000090325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:05.548{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1061837809D3ED74A2D0F35FFC38B9FE,SHA256=FF6E2FB6977988FC1375830729B860832E21A7347BDB27AF41C04DDE2F171C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:04.673{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64751-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 354300x8000000000000000121621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:04.673{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local64751-truefe80:0:0:0:952:3b50:fdc8:f217win-dc-ctus-attack-range-295.attackrange.local135epmap 23542300x8000000000000000121620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:05.577{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A641CA300F55AF319D2E0DE9269D2DD,SHA256=BD810D23B28E0244ABFCFFB7D625F8D42D9FDA2F698E161E207570E7CB2B747E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:05.359{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:05.359{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:05.359{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:06.609{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF17B886AA47119CF0127BEE13FAF1BD,SHA256=613F78C0CD53D904A24CAFAF9D9C4259EC6F5323ADC5456AE3240C095CA31A7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:05.517{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64753-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000121631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:05.517{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64753-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000121630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:05.223{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64752-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.648{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B4FF3F8420AAE8EB06B78B3ED0529A,SHA256=0726582DF21BCB5B19FBAFA7893C95A9C9DBE4510B30B11A7EBDA97E618428A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.398{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8F001180B9AD09DB71563F149EB094,SHA256=D7333CB0BFA5B524598DCC997450D3CCCE43AE6CEA7B0015B9597F43A6B30431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.366{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.366{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.194{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.194{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.194{3F28B219-1283-63EE-0B00-00000000BA02}628668C:\Windows\system32\lsass.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:07.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:07.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:07.704{A847701F-127F-63EE-0B00-00000000BB02}628716C:\Windows\system32\lsass.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:07.692{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A022AE362949C2A826B9DE2D1C93502,SHA256=77AE270A1616EFEECB3EF0CA2DBF3B0E2D6653922546E97285B55F26232979BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:07.691{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1E00-00000000BB02}1976C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:07.715{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBC76B6182AF1EAB47CE43E85CC7C8E,SHA256=212038A698FC70744D3F24DA9F9CDBA729FBCBFBEFCBAE1257BA29AFA22D2FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:07.367{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\respondent-20230216112453-166MD5=B67CF1AA8F02C4F88F32B9662830A5FC,SHA256=A3185EA3A347A8F67D824B533332877713B0C696AA9DEB83501331F2F0EF2A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:08.788{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F3B9F3E1CA897E173AC5FB623C3BD8,SHA256=35DBDA01E14FE276031D81C1457FB68722818E9DE4444358A717814EF48DDC93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:08.810{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA9A5842E5EAA8CD96A2A11FF01376B,SHA256=00BA5EA9F3A7A0EA0AA4BAC2752FEB9ABD345DD873CBB2507464A8036D2905A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:08.378{A847701F-1281-63EE-1C00-00000000BB02}1884NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0729cc0666dfd4ba8\channels\health\surveyor-20230216112450-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.353{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64754-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000121634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:06.353{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64754-false10.0.1.14win-dc-ctus-attack-range-295.attackrange.local389ldap 23542300x800000000000000090336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:09.882{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDDDA442A07236237E230E2697BE334,SHA256=83BF287393A2B4513E38DE59D1A52AFA5FF44F01D03B54A5A8E1665C088FFFB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.955{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x8000000000000000121662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.847{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F62EA85929F24F303577A16BA7140E5,SHA256=2AC4DEEE6D589735178DE24FCA7CCE256F468381EA798E3DB6814E37606CB426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.472{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.468{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.467{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.460{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.453{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.439{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.432{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.408{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.395{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.392{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.388{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.384{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.370{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.346{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.341{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.333{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.321{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.307{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.294{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.255{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.243{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.226{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.206{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.131{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:09.126{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 154100x800000000000000090353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.996{A847701F-3AAA-63EE-3D05-00000000BB02}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.979{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54EDF76DBC91D1229D554D84B69A070E,SHA256=3C1707347719C1F834B184E6EB9DF7B3D9F2323D9E07642071EBD4430CCDD213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:10.948{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=281B95656156CCFC1211A59F701603F1,SHA256=86EC2ED804979D2F26D869E18FE5EEF314C2344A30388E16CC0816FC1020DA93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:10.948{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA0CA4939C619B0EB823C4862C779FF,SHA256=5BE853443D03EBA09576D59B714A0BFA59ADF4136859B6683240B74BD6763E2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.722{A847701F-3AAA-63EE-3C05-00000000BB02}39482892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000090350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:08.274{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51704-false10.0.1.12-8000- 10341000x800000000000000090349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3AAA-63EE-3C05-00000000BB02}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3AAA-63EE-3C05-00000000BB02}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.480{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3AAA-63EE-3C05-00000000BB02}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.481{A847701F-3AAA-63EE-3C05-00000000BB02}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:10.675{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F2AF0393BB78DF8DB4EF748280B2444,SHA256=C1186BA756F5787C827EB17234C7D928E30BFEB488785ED4CF02A8B56529A605,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:11.972{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:11.971{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:11.968{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 23542300x800000000000000090367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:11.603{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=437BA5D6D267FAF4D80AB5659B00E47D,SHA256=1EB61FD8FF430F6966300F60D41C5DA6ABD4BE9B538A58A776320C36FB82995A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:11.385{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11DE7B2EAC03FCED26B52DF718302326,SHA256=03666BA7AAFCE1898EA033F0C2FC6E915196FDE05B6256A2C6B0CC24E48CE467,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3AAA-63EE-3D05-00000000BB02}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3AAA-63EE-3D05-00000000BB02}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:10.995{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3AAA-63EE-3D05-00000000BB02}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000090368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:12.158{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BE6A39C6CF487DDCFDF1D6DB38E87C,SHA256=343C0E2E16998A576E7C3FA39323CCB867EC99A10464CE6F95CC4FCD391870A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.634{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.624{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.624{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.620{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.614{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.588{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.575{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.530{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.521{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.503{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.493{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.491{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.487{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.484{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.481{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.480{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 10341000x8000000000000000121672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.478{3F28B219-14C1-63EE-EE00-00000000BA02}54881940C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001BB063D0) 354300x8000000000000000121671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:10.277{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64755-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:12.014{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A228E7C75DC5E0995DC28B58918A8E0,SHA256=912C3484F782595C0E4FDF3260207FA7BFBC19F5B3746496444E820E201FB0FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3AAD-63EE-3E05-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3AAD-63EE-3E05-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3AAD-63EE-3E05-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.608{A847701F-3AAD-63EE-3E05-00000000BB02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.451{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0FD6053219A2B2DEEAC8C455A2A5C2C3,SHA256=13B53E89DB374235B4F63225770F888F6C1CC4C6CD932FBC7D27862665B9A0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.235{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3F2CBCD7D9527AC44C3E6CC98C162B,SHA256=EFD6C1AE93A556DC516806A5AB821B278194B7C23805F5A1ADF549C12375A84F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:11.107{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000121689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:13.091{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2E225D2D871E5C20E75CA183C7D89A7,SHA256=8E543CC7E103619C7DB5ABF4659A0A9FF3516788FC2ACE2FDA16360453F200D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.892{A847701F-3AAE-63EE-3F05-00000000BB02}40283504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3AAE-63EE-3F05-00000000BB02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3AAE-63EE-3F05-00000000BB02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.704{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3AAE-63EE-3F05-00000000BB02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.705{A847701F-3AAE-63EE-3F05-00000000BB02}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:14.318{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14B90AC88384ACE427D80AC9E4B7E4C7,SHA256=2248E0DD409ADF400B83E1A93C811CE4B0519269F814D59494C1B57A99720BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:14.176{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C7F1B90F7AF16257098AB38A095CC1,SHA256=B8DD7217519F0AB4F9A750CC1648B86902AD7CFBF2073E5F856B1692B39D95DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3AAF-63EE-4105-00000000BB02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-127E-63EE-0500-00000000BB02}4122656C:\Windows\system32\csrss.exe{A847701F-3AAF-63EE-4105-00000000BB02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.889{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3AAF-63EE-4105-00000000BB02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.892{A847701F-3AAF-63EE-4105-00000000BB02}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.673{A847701F-3AAF-63EE-4005-00000000BB02}11283816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.552{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000090417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.552{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000090416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.550{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000090415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.550{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000090414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.550{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 10341000x800000000000000090413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.550{A847701F-1281-63EE-1E00-00000000BB02}19762020C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480F10) 23542300x800000000000000090412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.440{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B516200C1929B2BA99F12B4650719F,SHA256=A49D14CFD6F438A111E154F9BBDA4CECD8B03643D827B68E280DD2D72C1AABBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-127E-63EE-0500-00000000BB02}412428C:\Windows\system32\csrss.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.368{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:15.369{A847701F-3AAF-63EE-4005-00000000BB02}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:15.256{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F41F858AA56C1C8AD62723FEE500F17,SHA256=AB03FC06C6228C2A9BEBBD29B88922E2469F26D9090C61F8618A6A2BAD24CF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:16.990{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00587F75B650D459B0EF82CD64FF546,SHA256=70B21A540AC2FD14C82BD87B97A675A71C93196B01708C513D8276E57734D9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:16.990{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0C7F0348B9C6B9A3A8C329953984F14,SHA256=D9107F8A944B6BE6E3CA68AF3C74ABEFE32F824F530104482D80C95F1321ADEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:16.343{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAA0EBEA220D4B87F1BAB3C9A9BFB43,SHA256=0AD823E1C6342E2450BAE2B5AE79CDD931C3B9680831BC02D1FB03394BFEF40D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:13.279{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51705-false10.0.1.12-8000- 10341000x800000000000000090433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:16.089{A847701F-3AAF-63EE-4105-00000000BB02}40803748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:17.412{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD69577249AB7F5109B0C7C8979FB117,SHA256=A52ED2A429783A9D0A8D0E1226D84DAB435A54093C3A8C7043407B030E391FA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:15.415{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:18.503{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0473A3E95C5BF6A7547AC18A933977,SHA256=D2755CDFFD6DCD830F1DF4E8BF7A76DC4862E30CCC350EC213B9AB82D4346FB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-1283-63EE-2E00-00000000BB02}29242944C:\Windows\system32\conhost.exe{A847701F-3AB2-63EE-4205-00000000BB02}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127F-63EE-0C00-00000000BB02}7202860C:\Windows\system32\svchost.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000090440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-127E-63EE-0500-00000000BB02}412528C:\Windows\system32\csrss.exe{A847701F-3AB2-63EE-4205-00000000BB02}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000090439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.856{A847701F-1281-63EE-1D00-00000000BB02}19442768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{A847701F-3AB2-63EE-4205-00000000BB02}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000090438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.857{A847701F-3AB2-63EE-4205-00000000BB02}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A847701F-127F-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000090437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:18.109{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A68A8E02DA4A19551C70A91CDEF7C0,SHA256=5C5223B8F2032DEBC991010FBBA707D35ED5603A18D3B0C329FFF3B76B8A92B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:19.581{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02134F2F96C6E1DC4358D2A0C953FF1D,SHA256=2221EABE28E3313335B0AC3E54FF1CCF01CA4820216222EC8A99BF2C69103C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:19.191{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D5FF174BACB109F073390F017E11FB,SHA256=119E553AD09F4DEF30AC53A52FFC8204703F7BEFC2847F12A2481A30FB647246,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.988{3F28B219-3AB4-63EE-BA05-00000000BA02}29046252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.699{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E9C209D5D322F6CECBC4F44050EB28FE,SHA256=FFC5A2630A4DA1473D911EFF01950DEA74F3AB3A3C280767D6D728562F8DE1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.683{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5331422010EDAB2AB7082FE852DC4B,SHA256=A8E069CFA143EFB243D38241ED74C22DF7DF2A05F8919BFFF2B23F606B2944D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.636{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3AB4-63EE-BA05-00000000BA02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.636{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.636{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.636{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.636{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.636{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3AB4-63EE-BA05-00000000BA02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.636{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3AB4-63EE-BA05-00000000BA02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:20.637{3F28B219-3AB4-63EE-BA05-00000000BA02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.994{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.987{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.981{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.980{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.974{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.970{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.969{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.967{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.964{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.961{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.954{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.939{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.936{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.926{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.923{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.905{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.897{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.869{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.856{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.845{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.832{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.823{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.811{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.793{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.785{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.772{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.761{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x800000000000000090453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.757{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 23542300x800000000000000090452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:20.260{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8ED1E0015D22A8130BAD8BBDCD353C,SHA256=5A38E3A45F4385220AA931573658EC80747168749D626D13C1C76F44E6F8B503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:21.575{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394E1C3F1CC780C816536BEEAAD687BA,SHA256=5E52C7354AE16672A27338550F7D1C530C42CA9D2453AE4BDD6F4EF5DACFD648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.759{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982329C4B911954862D2F1D2B22D6823,SHA256=4025A364B49AB52F7C4ABA5E0801174235B2CF047408828E3E1580B6DFFE064C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.681{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3AB5-63EE-BC05-00000000BA02}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.681{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.681{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.681{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.681{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.681{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3AB5-63EE-BC05-00000000BA02}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.681{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3AB5-63EE-BC05-00000000BA02}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.682{3F28B219-3AB5-63EE-BC05-00000000BA02}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.665{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB09E38528013BD30B83B436091457BE,SHA256=C36E7D2F4AEBC8980B9D525D7640F1D19412530BC117BB4A4CD767DCAE321980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.559{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0324EF0D14782DBFCB3CC012687C8330,SHA256=F0867751002F32A0E88215AA7A8CE056BC85845A711D16BE784992C1AB6FB968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.144{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3AB5-63EE-BB05-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.144{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.144{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.144{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.144{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.144{3F28B219-1282-63EE-0500-00000000BA02}412380C:\Windows\system32\csrss.exe{3F28B219-3AB5-63EE-BB05-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.144{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3AB5-63EE-BB05-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.145{3F28B219-3AB5-63EE-BB05-00000000BA02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000090481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:21.000{A847701F-1281-63EE-1E00-00000000BB02}19762824C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012481810) 10341000x8000000000000000121738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3AB6-63EE-BD05-00000000BA02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-1282-63EE-0500-00000000BA02}412524C:\Windows\system32\csrss.exe{3F28B219-3AB6-63EE-BD05-00000000BA02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3AB6-63EE-BD05-00000000BA02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.854{3F28B219-3AB6-63EE-BD05-00000000BA02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.803{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\respondent-20230216112509-166MD5=DE2F6FF5F6089A1D133863F6C6ABB779,SHA256=312F361191EC382D27E1E315A8FE538B599FD4CE67F03B738C1FDCC32774781E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:22.723{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CC09E828270E48ED1D830E691FD4F6,SHA256=EAB8F67890BC62685180D3B68BA9372050B4195F2CD8D88B784DF3F783F5E8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:22.705{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9114D852607E5A14AD120B534EA563F,SHA256=AC7D32D8EB022B3AA7083C300DC03B19F5135740E1532CBF7392FF14E29DD701,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:19.283{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51706-false10.0.1.12-8000- 354300x8000000000000000121728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:21.334{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000121750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3AB7-63EE-BE05-00000000BA02}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3AB7-63EE-BE05-00000000BA02}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3AB7-63EE-BE05-00000000BA02}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.977{3F28B219-3AB7-63EE-BE05-00000000BA02}5144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000121742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.819{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BAA1364B8F832D74B3543E6D58E30C,SHA256=38A83E933B660C646E8C1FDE3CC20645BAD928D1D390711FC3A8C5DF85D50630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.814{3F28B219-1293-63EE-2700-00000000BA02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-005f8c708c98243a3\channels\health\surveyor-20230216112508-167MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:23.781{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578E25947D980DFF7DD6EC4CA8CBFDA4,SHA256=4E4B766AC8A6B7105D52BCE43668CA0D0BE2D0F448BF0AF8642EB4F383279C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.479{3F28B219-1293-63EE-2E00-00000000BA02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=838E36EC86C89DC11140553ECD403A19,SHA256=3E1C88C5534250383734E93FD5F6D55B4DBDEEF3AA388F67F153EDB09FCC4BE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.057{3F28B219-3AB6-63EE-BD05-00000000BA02}65685892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.888{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08063664141D17AFA6C97DF67EC6C3DD,SHA256=AEC900E627CC4B464EAD390CEAA64422C28985A40B4D0373DD452966648F775E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:24.864{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD26070E38B0F1F13AC862B49CAA8765,SHA256=27607ACCD6410AE1C6E11EE6047E1A08D8E98BEC41E6979C2DFB6255D507760A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.707{3F28B219-3AB8-63EE-BF05-00000000BA02}25682080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.640{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.640{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.639{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.639{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.638{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.638{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.470{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.470{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.470{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.470{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.470{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.470{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.470{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.471{3F28B219-3AB8-63EE-BF05-00000000BA02}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000121751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:24.226{3F28B219-3AB7-63EE-BE05-00000000BA02}5144388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:25.996{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F70EAD7322C823EC1C11B9B42981624,SHA256=7B194C05826A60E23648075EC2D836777B98813E9E1D7B7CA569A98FC35B5BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:25.945{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0772FC2F1E927FBEAA411F20949C5D,SHA256=CA1D3097924631E1283F6F96974DAADA434E2D53497BA06A9E946AC49E182708,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.606{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64759-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 354300x8000000000000000121768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:23.606{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local64759-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-295.attackrange.local389ldap 10341000x8000000000000000121784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.630{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.630{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.630{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.629{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.629{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.629{3F28B219-14C1-63EE-EE00-00000000BA02}54885528C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x8000000000000000121778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.543{3F28B219-1295-63EE-3600-00000000BA02}31843216C:\Windows\system32\conhost.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.543{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.543{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.543{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.543{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000121773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.543{3F28B219-1282-63EE-0500-00000000BA02}412428C:\Windows\system32\csrss.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000121772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.543{3F28B219-1293-63EE-2E00-00000000BA02}27804084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000121771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:26.544{3F28B219-3ABA-63EE-C005-00000000BA02}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3F28B219-1283-63EE-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000090488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:24.301{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51707-false10.0.1.12-8000- 23542300x800000000000000090489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:27.016{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916BAD55ED4DD86FC8C30A86FF700E3A,SHA256=0140449F1B76708050E8D2FA7009AD60D1AECEE0CC6FEDA5EFF899E0B8E280FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:27.688{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DAA930C979D2425E0B44F842271E263,SHA256=43699C5AF871CB43144AD66134B4523DFAFC0E2ACCA68EC870FE7262D859C853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:27.071{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17168D54FBBC6B6B08D652B527DE1B71,SHA256=A1AC13AAF074329B32726910B03F52CFBE28B628706CC2720CCD8D7B2DB0892F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:28.086{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62001D5647FE8AE4D9588CE45427564E,SHA256=3A6A67C0ECF0E071C5A05CA5E30775283D720C8B1A49622BCFD921B538D24130,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:27.323{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:28.164{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33DC60C34094F9B22E8C96D16BD5440F,SHA256=726ED678B23885C16FF7500DD7769313874523C32F42DB166B4D1928C9200157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:29.166{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA19191C7BC90A5B61E9328B5F05D7F7,SHA256=957A959019934F40EF49815A53C73E9929FF5BA4C141A05E7341E9938C539E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.644{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.639{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.635{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.625{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.616{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.604{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.601{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.579{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.559{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.551{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.542{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.540{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.527{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.492{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.480{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.468{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.446{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.431{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.415{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.368{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.350{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.326{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.305{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000121791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.246{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC8054F12C37AD2FD7BA0D4DC121EB5,SHA256=D807DD4E78A617DB51BC8D4C8339C8FACB7B2ED9A0DD28422645DB0EE4081D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.177{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:29.154{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000090492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:30.256{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719E1B5A5204CCD59E0E558EFC420C70,SHA256=E52B969D169A20A964FA80304D69B5C5569BAF5A6D019EEDFBCFF2322E5F2295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:30.733{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=936384DB5C61FA28735514C94595E335,SHA256=00D9812BA329DCB37EA9058030BC8C10AE5E02E05B3823CFB367F3EBAF3F01F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:30.263{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF2F1EFF1D8C76D50702E5F3C1F9053,SHA256=76AFFB9BAF8B3AC04E5DF6D4A0CF602A8FBA2735997E406D9AE7A7ACE3606A3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:30.177{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000090493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:31.344{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAF7F1C9C3C0F14BE8B87A1873DC906,SHA256=2DF225F404ED1665E60ABFF00BF6F2C38B3C5C14C76A208C614E01EE836B0998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:31.226{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978E09BF152F7D875726A9DC2D0B9D61,SHA256=A28090569EDE91255AF485143A0B823A48BB8FC8C290B578FEE631E416DC2707,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:30.164{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51708-false10.0.1.12-8000- 23542300x800000000000000090494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:32.423{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D062B0888DD0B681AE08F0E3531384F9,SHA256=2BA05E84D10D90857E1E592893A174D208770C28D3CFBFA3F2B632C762E157BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.914{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.890{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.889{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.877{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.867{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.840{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.828{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.786{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.778{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.759{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.754{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.752{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.749{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.746{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.743{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.742{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.739{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.554{3F28B219-1285-63EE-0C00-00000000BA02}8326324C:\Windows\system32\svchost.exe{3F28B219-14C1-63EE-EE00-00000000BA02}5488C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000121822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.313{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3043B2A3DD2C86638C669D76D9AB2AF7,SHA256=3BB3790C3A4BCACDBDCE0AB0D4E3098DF71639345896DB9386E97B67126E08DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.233{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.233{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:32.233{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x800000000000000090496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:33.505{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508363597B095A114BFE042C15AFEF70,SHA256=AF4D283CEFA7CFA8914C16D7EDB328B24C9764A35229A936AB23DE0EABE0A5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:33.277{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43AB61FCDA8385745A551D36B0E6EE2A,SHA256=7046AF1A3027746D05A2A0B4C4355BD5B1B0BE4D9A3FB1AE6719A52B6EDE890E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:33.217{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:34.368{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D359DB658E02B0CEF48C8AD8765713,SHA256=24038DAEC0C56E93CBE39B5BDAC7BE744F94D01A9D9C8153F1EAC69054F17EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:34.580{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDD7F4BFE3695FF32301D39E9AA6D5B,SHA256=BB589A949C3224BC3A0BE64EC13850E04E4DF8DA3C8AC8A33708BCF8E710E52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:35.449{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F408280898DC73471829429D73B718,SHA256=47EE80E70FB24FCB107DC825BBA1AA560E4B5551F8D21A2A9AFBB457E4C94AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:35.665{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A02C47862788CD5A50A02F2FB8D40E6,SHA256=F39D6CB79D1590CEFB9CEE1BCA0FE765DA32B58DC6CE9DFC141ED0BB5C9A0EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:36.528{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C4D1066B038ED0C8CFD22AC72E75FA,SHA256=E0F8FD97DAF9A7CBD21D648C6D1278527040AF40A7C18D32078BDDB1FB93EAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:36.725{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F1BB47569A7D837D77ED0AE9C9CF86,SHA256=8F9A3DFC001510CB68244D4DC5F56C08BA233A560C4CF7D94EFCA37B611F7547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:37.605{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BD032CF361F0939E448BD756657DB0,SHA256=2F100876B78058CA773EE71DF5F30E7ACEF699AB9AF0C143D3A82640D9F7D1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:37.803{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE451A28371E7E95A049D2BC11FCB5DB,SHA256=42F8BD7B45C25CC7473CB8483FF5C7198460FF209B93EBE4BB6691383C0D3F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:38.703{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE48A851E610F6749F9DAD78574B034A,SHA256=1319373647B4F9AD53C21C3B672B6E5E6E6804D332E0C9033DBC70CE319A2812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:38.879{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03077352A092BD80FCA7502A6CDD23A,SHA256=B29E08D27D67C33F7C3D9A2C16BE3A67A23659398CBDBFD2CAF2D87F123CAD98,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:35.336{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51709-false10.0.1.12-8000- 23542300x800000000000000090503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:39.982{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107237C0503356D526419EE65A6CDA70,SHA256=66C00C541655C75D13B060D05F8A230B98DF5FFD72B895C8D610B1028B2B57B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:39.810{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47ACC77C1BC6EE1D9ECC8E3BE6825979,SHA256=6119F1BCAB5F00F40C72DE15F7E1F59F0837114B8B7E8A5E3481DEF5B08F8A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:40.897{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CE5EC304BED0708CFD8205014E1662,SHA256=37B4254CB6B92BC9C67F7C9A87583F6A225EFD5E43DD5B019D22655382FDEC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000090532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.939{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-3507-63EE-9304-00000000BB02}2840C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.936{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-12FD-63EE-8200-00000000BB02}516C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.933{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-129D-63EE-7400-00000000BB02}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.931{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.930{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3D00-00000000BB02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.928{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1285-63EE-3C00-00000000BB02}2928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.926{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1283-63EE-2E00-00000000BB02}2924C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.925{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2600-00000000BB02}2584C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.923{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1282-63EE-2500-00000000BB02}2420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.918{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2200-00000000BB02}2032C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.912{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-2100-00000000BB02}2024C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.906{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1F00-00000000BB02}1992C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.897{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1D00-00000000BB02}1944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.892{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1C00-00000000BB02}1884C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.885{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1900-00000000BB02}1748C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.883{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1700-00000000BB02}1192C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.872{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1281-63EE-1600-00000000BB02}1184C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.865{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1500-00000000BB02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.833{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1400-00000000BB02}848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.824{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1300-00000000BB02}616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.812{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1200-00000000BB02}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.804{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1100-00000000BB02}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.795{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-1000-00000000BB02}936C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.785{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0F00-00000000BB02}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.776{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-1280-63EE-0E00-00000000BB02}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.771{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0D00-00000000BB02}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.764{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0C00-00000000BB02}720C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.757{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127F-63EE-0B00-00000000BB02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 10341000x800000000000000090504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:40.755{A847701F-1281-63EE-1E00-00000000BB02}19762876C:\Program Files\Aurora-Agent\aurora-agent.exe{A847701F-127E-63EE-0900-00000000BB02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012480CD0) 23542300x8000000000000000121849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:40.669{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2879A8A4177F23DA530DF4BC3CDB76A7,SHA256=07673E7B2D48AE6E36B79F2131916CBE53DB976E392D4390AD29071562944F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:41.970{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245D65C8618758D7BBB7C403258A08BB,SHA256=40004E659F29D92339BCA63BCDC259EB78F7FA3DEE36F9D725CE0219DD6B92F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:41.293{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B26BD6E975B1F0D07426C97148BABE,SHA256=00590D3378AD0C8D231B3D6B5505B45779EA9744851BF79C88DACC5E69C5917A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:39.202{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000090535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:42.608{A847701F-1281-63EE-1D00-00000000BB02}1944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FC1E86D9A964EF5E50FA5BEE2E955A20,SHA256=760E897286887BA38A02A70A5F9AEA40FC0AC281FB557128DAED74A9A2BFD7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:42.405{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F9D74A4FB648CF8127004AB1948F3F,SHA256=D822FEA05C54A2FC2CBEEA3288EFEF8D05918A3951F690378B608491EDCA3481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:43.509{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B169C461C4F1C3E2C0A4830738C97ADA,SHA256=BAA9D9281F2618E0F0968425702B824FB9FB54E3E0B707D751BAA0D80215B8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:43.058{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75BD104F0EFB2981F3C8AC6F9655005,SHA256=A5F3FF0EB39AC47FA385FCE2BA699F49189A1A258911CDBF687CA5C2AAFAC25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:44.585{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2757795347EE2B687C4354C3882C4142,SHA256=DFCBE158FA70CD2D8B3B8A67AB87827CF2746345C98928237F2AEDDAB184FB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:44.142{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC68F3189E7A93495B3F0C0633CB0E72,SHA256=44649055973DD760175361C17851C3D0BDA135EEAA8A1DE78FEF15C5D616BAD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:41.267{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51710-false10.0.1.12-8000- 23542300x800000000000000090539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:45.666{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4C35B55484AE196B3DCEFFFCC81FC4,SHA256=313F4892011DF1AC9BB81EDF5558E563C7B07F30AF8E06F623F629EE9ECD90DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:45.223{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F911FB8007FDEE030DF2854D6747FC,SHA256=C291E8AAD0EB654938432B5494B3EBF538FFD51D8A7400F48D302FAF7425F5A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:46.769{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA38FD639A83BF09C7C3E05999CFD29C,SHA256=E7ACAC73993FC4A8B6150CA802880B0EBBB4462C0C966B1F6F32616C9CF7E431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:46.304{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B747FC70E0A94F54A4D0286FE5797984,SHA256=D0ABCE9D940607AE5AC68A8ABECF6A0FDC3E66A278EB762DCD1ECA8255649681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:47.863{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5E1A7D66F88331557B36443D1D2BA5,SHA256=5FC58D95D77DD4AB06544E420389D45AABEFED6BDB916AF4830FA389EFFBFD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:45.209{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64763-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000121857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:47.401{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417CE8F5126F461B553E02E450772382,SHA256=C039D81129DDEF860237B4BFD8857EE7D81BE7D39440DC1CAC3D91B0893507E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:48.971{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A511C86C5D4AAF881B5B931CA1AD68,SHA256=77A0C038C8D8BBC6A1DC844C95F2299D9A46D6542CE23AECB41BBF3A6FBBE6C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:48.495{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB7B7A8C10817ADA4DFB3B7B3DA1447,SHA256=9143F8E7016C6A25018ED8B5B7301D1785715CC04664421F5A4AD7256E27281F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.949{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3000-00000000BA02}2828C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000121885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.545{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA166FAB2309566A08F7C28FC5DBF25,SHA256=FB5BB18085A2D2A04C9C2C7DE080233EBCF6AD4F3E9881A0F55001FD43459D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.451{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2F00-00000000BA02}2800C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.440{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2E00-00000000BA02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.436{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2C00-00000000BA02}2688C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.425{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2B00-00000000BA02}2672C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.420{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2A00-00000000BA02}2652C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.410{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2800-00000000BA02}2624C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.408{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2700-00000000BA02}2592C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.395{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2600-00000000BA02}2584C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.385{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-2500-00000000BA02}2512C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.380{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-128F-63EE-2300-00000000BA02}2360C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.377{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1286-63EE-1B00-00000000BA02}1960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.375{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1700-00000000BA02}1416C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.367{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1600-00000000BA02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.344{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1500-00000000BA02}1124C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.335{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1400-00000000BA02}1064C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.322{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1300-00000000BA02}820C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.307{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1100-00000000BA02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.292{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1200-00000000BA02}768C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.275{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-1000-00000000BA02}296C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.242{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0F00-00000000BA02}304C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.233{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0E00-00000000BA02}996C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.214{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0D00-00000000BA02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.199{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1285-63EE-0C00-00000000BA02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.128{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1283-63EE-0B00-00000000BA02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:49.123{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1282-63EE-0900-00000000BA02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000121888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:50.702{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54C1E79F0E296D5980F4F27E754AE40,SHA256=4DD8C5D00E28A914A0A3A978A7E686C57353641E3E95A3CF3144BCE74B01B941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:50.655{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60C792B1DAFD55E01F0D6865F3FAAB8B,SHA256=0A0D3A47D10ED25E51A4DDAC8D9E6CD906E4B095B2AA318F4EA915A0F08A731E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000090544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:47.157{A847701F-1295-63EE-6400-00000000BB02}3268C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-732.us-east-2.compute.internal51711-false10.0.1.12-8000- 23542300x800000000000000090543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:50.066{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D901570BE3440DE4222485F533DBB6,SHA256=ADF07DAFDF5F071F7B134795F982ED533AF552D33F2A99435D7F14A1F00CFEA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000121892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:51.998{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3C00-00000000BA02}3316C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:51.996{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-3600-00000000BA02}3184C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:51.995{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1293-63EE-3100-00000000BA02}3004C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 23542300x8000000000000000121889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:51.769{3F28B219-12A7-63EE-7B00-00000000BA02}3800NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72E37AB0B6A8FE20C1919190DFB92B1,SHA256=BAF523DE4ECFB66F80E16D71839F1163B40B57ADF96C47EFD3B65ABEC1875068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:51.142{A847701F-129D-63EE-7400-00000000BB02}2636NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F3869D5D6848D36D7F10A2B9481AEC,SHA256=A9C7A6F2B16D905967EDF53DA710A6C6B114B8AED29EC48FB37621C132C1AF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000090545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-732-2023-02-16 14:16:51.064{A847701F-1280-63EE-1200-00000000BB02}1016NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7081FA3CCC0E9F1DC6B90B8FE3C1CC06,SHA256=E9F6FF43ED556950CB7BA801C85341CDA2828BFCCC848908A48ADA69FD2256FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000121910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:51.204{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-295.attackrange.local64764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000121909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.672{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8205-00000000BA02}5840C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.656{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3902-63EE-8105-00000000BA02}6812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.653{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-38FE-63EE-8005-00000000BA02}5480C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.648{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-3034-63EE-6704-00000000BA02}4856C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.642{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-15C5-63EE-3701-00000000BA02}5348C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.612{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C4-63EE-F300-00000000BA02}5996C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.594{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14C2-63EE-F200-00000000BA02}5860C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.555{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AE-63EE-D900-00000000BA02}5020C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.547{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-D000-00000000BA02}4988C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.532{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AC-63EE-CD00-00000000BA02}4704C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.522{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14AA-63EE-C900-00000000BA02}4272C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.520{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-14A9-63EE-C700-00000000BA02}4420C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.516{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-130D-63EE-8900-00000000BA02}4196C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.513{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A7-63EE-7B00-00000000BA02}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.510{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-12A0-63EE-7100-00000000BA02}4028C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.509{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4500-00000000BA02}3636C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850) 10341000x8000000000000000121893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-295.attackrange.local-2023-02-16 14:16:52.506{3F28B219-14C1-63EE-EE00-00000000BA02}54885644C:\Program Files\Aurora-Agent\aurora-agent.exe{3F28B219-1295-63EE-4100-00000000BA02}3516C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080850)